===================================================================                               CERT-Renater

                   Note d'Information No. 2022/VULN225

_____________________________________________________________________

DATE                : 30/06/2022

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Flume versions prior to
                                         1.10.0.

====================================================================https://lists.apache.org/thread/bl2wdrvr7lmxtd1m8o6kjzs98fbm5c94
_____________________________________________________________________

CVE-2022-25167 - Apache Flume JMSSource does not protect from malicious 
JNDI urls
Severity, medium


Description:

Flume’s JMSSource class can be configured with a connection factory 
name. A JNDI lookup is performed on this name without performing an 
validation. This could result in untrusted data being deserialized.


Mitigation
Upgrade to Flume 1.10.0.

In releases 1.4.0 through 1.9.0 the JMSSource should not be used.


Release Details
In release 1.10.0, if a protocol is specified in the connection factory 
parameter only the java protocol will be allowed. If no protocol is 
specified it will also be allowed.


Credit
This issue was found by the Flume development team.


========================================================+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=======================================================