[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2022-25167 - Apache Flume JMSSource does not protect from malicious JNDI urls
From: Ralph Goers <rgoers () apache ! org>
Date: 2022-06-14 7:22:00
Message-ID: EC5BDCA4-8FF7-41E0-9177-5F4DD8A96841 () apache ! org
[Download RAW message or body]
Severity, medium
Description:
Flume's JMSSource class can be configured with a connection factory name. A JNDI lookup is \
performed on this name without performing an validation. This could result in untrusted data \
being deserialized.
Mitigation
Upgrade to Flume 1.10.0.
In releases 1.4.0 through 1.9.0 the JMSSource should not be used.
Release Details
In release 1.10.0, if a protocol is specified in the connection factory parameter only the java \
protocol will be allowed. If no protocol is specified it will also be allowed.
Credit
This issue was found by the Flume development team.=
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic