CVE-2022-25167 - Apache Flume JMSSource does not protect from malicious JNDI urls

[Ralph Goers <rgoers () apache org>]

Severity, medium

Description:

Flume’s JMSSource class can be configured with a connection factory name. A JNDI lookup is performed on this name 
without performing an validation. This could result in untrusted data being deserialized.

Mitigation
Upgrade to Flume 1.10.0.

In releases 1.4.0 through 1.9.0 the JMSSource should not be used.

Release Details
In release 1.10.0, if a protocol is specified in the connection factory parameter only the java protocol will be 
allowed. If no protocol is specified it will also be allowed.

Credit
This issue was found by the Flume development team.