You are viewing a plain text version of this content. The canonical link for it is here.

Posted to announce@apache.org by Ralph Goers <rg...@apache.org> on 2022/10/25 20:03:13 UTC

CVE-2022-42468 - Apache Flume Improper Input Validation (JNDI Injection) in JMSSource

Severity, medium

Description:

Flume’s JMSSource class can be configured with a providerUrl parameter. A JNDI lookup is performed on this name without performing an validation. This could result in untrusted data being deserialized.

Mitigation
Upgrade to Flume 1.11.0.

In releases 1.4.0 through 1.10.1 the JMSSource should not be used.

Release Details
In release 1.11.0, if a protocol is specified in the connection factory parameter only the java protocol will be allowed. If no protocol is specified it will also be allowed.

Credit
This issue was found by nbxiglk.