oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2022-34916: Apache Flume: Improper Input Validation (JNDI Injection) in JMSMessageConsumer

From: Ralph Goers <rgoers () apache org>
Date: Sat, 20 Aug 2022 22:55:58 +0000
Description:

Apache Flume versions 1.4.0 through 1.10.0 are vulnerable to a remote code execution (RCE) attack when a configuration 
uses a JMS Source with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue 
is fixed by limiting JNDI to allow only the use of the java protocol or no protocol. 

This issue is being tracked as FLUME-3428

Credit:

Apache Flume would like to thank Frentzen Amaral for reporting this issue.

References:

https://issues.apache.org/jira/browse/FLUME-3428
https://lists.apache.org/thread/qkmt4r2t9tbrxrdbjg1m2oczbvczd9zn
Previous By Date Next
Previous By Thread Next

Current thread: