You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@flume.apache.org by Ralph Goers <ra...@dslextreme.com> on 2022/06/14 07:21:54 UTC

CVE-2022-25167 - Apache Flume JMSSource does not protect from malicious JNDI urls

Severity, medium

Description:

Flume’s JMSSource class can be configured with a connection factory name. A JNDI lookup is performed on this name without performing an validation. This could result in untrusted data being deserialized.

Mitigation
Upgrade to Flume 1.10.0.

In releases 1.4.0 through 1.9.0 the JMSSource should not be used.

Release Details
In release 1.10.0, if a protocol is specified in the connection factory parameter only the java protocol will be allowed. If no protocol is specified it will also be allowed.

Credit
This issue was found by the Flume development team.