Apache Camel's camel-jackson and camel-jacksonxml components are vulnerable to Java object
de-serialisation vulnerability. Camel allows to specify such a type through the 'CamelJacksonUnmarshalType'
property. De-serializing untrusted data can lead to security flaws as demonstrated in various similar reports about Java de-serialization issues.

Mitigation: 2.16.x users should upgrade to 2.16.5, 2.17.x users should upgrade to 2.17.5, 2.18.x users should
upgrade to 2.18.2.

The JIRA tickets: https://issues.apache.org/jira/browse/CAMEL-10567 and https://issues.apache.org/jira/browse/CAMEL-10604
refers to the various commits that resovoled the issue, and have more details.

References

• https://nvd.nist.gov/vuln/detail/CVE-2016-8749
• https://access.redhat.com/errata/RHSA-2017:1832
• GHSA-vvjc-q5vr-52q6
• https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf@%3Ccommits.camel.apache.org%3E
• https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d@%3Ccommits.camel.apache.org%3E
• https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true
• http://camel.apache.org/security-advisories.data/CVE-2016-8749.txt.asc?version=2&modificationDate=1486565034000&api=v2
• http://www.openwall.com/lists/oss-security/2017/05/22/2
• http://www.securityfocus.com/bid/97179
• apache/camel@10f5526
• apache/camel@235036d
• apache/camel@2b0e961
• apache/camel@57d01e2
• apache/camel@5ae9c0d
• apache/camel@7567488
• apache/camel@83fef71
• apache/camel@881e509
• apache/camel@8c862aa
• apache/camel@abb45b2
• apache/camel@ccf149c
• apache/camel@d410251
• https://issues.apache.org/jira/browse/CAMEL-10567
• https://issues.apache.org/jira/browse/CAMEL-10604