[prev in list] [next in list] [prev in thread] [next in thread]
List: flume-dev
Subject: CVE-2022-42468 - Apache Flume Improper Input Validation (JNDI Injection) in JMSSource
From: Ralph Goers <ralph.goers () dslextreme ! com>
Date: 2022-10-25 19:57:12
Message-ID: 8802A803-7168-414A-95B5-18529E17F305 () dslextreme ! com
[Download RAW message or body]
Severity, medium
Description:
Flume's JMSSource class can be configured with a providerUrl parameter. A JNDI lookup \
is performed on this name without performing an validation. This could result in \
untrusted data being deserialized.
Mitigation
Upgrade to Flume 1.11.0.
In releases 1.4.0 through 1.10.1 the JMSSource should not be used.
Release Details
In release 1.11.0, if a protocol is specified in the connection factory parameter \
only the java protocol will be allowed. If no protocol is specified it will also be \
allowed.
Credit
This issue was found by nbxiglk.=
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic