[prev in list] [next in list] [prev in thread] [next in thread] 

List:       flume-dev
Subject:    CVE-2022-42468 - Apache Flume Improper Input Validation (JNDI Injection) in JMSSource
From:       Ralph Goers <ralph.goers () dslextreme ! com>
Date:       2022-10-25 19:57:12
Message-ID: 8802A803-7168-414A-95B5-18529E17F305 () dslextreme ! com
[Download RAW message or body]

Severity, medium

Description:

Flume's JMSSource class can be configured with a providerUrl parameter. A JNDI lookup \
is performed on this name without performing an validation. This could result in \
untrusted data being deserialized.

Mitigation
Upgrade to Flume 1.11.0.

In releases 1.4.0 through 1.10.1 the JMSSource should not be used.

Release Details
In release 1.11.0, if a protocol is specified in the connection factory parameter \
only the java protocol will be allowed. If no protocol is specified it will also be \
allowed.

Credit
This issue was found by nbxiglk.=


[prev in list] [next in list] [prev in thread] [next in thread]