[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2022-25167 - Apache Flume JMSSource does not protect from malicious JNDI urls
From:       Ralph Goers <rgoers () apache ! org>
Date:       2022-06-14 7:22:00
Message-ID: EC5BDCA4-8FF7-41E0-9177-5F4DD8A96841 () apache ! org
[Download RAW message or body]

Severity, medium

Description:

Flume's JMSSource class can be configured with a connection factory name. A JNDI lookup is \
performed on this name without performing an validation. This could result in untrusted data \
being deserialized.

Mitigation
Upgrade to Flume 1.10.0.

In releases 1.4.0 through 1.9.0 the JMSSource should not be used.

Release Details
In release 1.10.0, if a protocol is specified in the connection factory parameter only the java \
protocol will be allowed. If no protocol is specified it will also be allowed.

Credit
This issue was found by the Flume development team.=


[prev in list] [next in list] [prev in thread] [next in thread]