This is an automated email from the ASF dual-hosted git repository.
rgoers pushed a commit to branch asf-staging
in repository https://gitbox.apache.org/repos/asf/flume-site.git
The following commit(s) were added to refs/heads/asf-staging by this push:
new 05c3a835 Add info about CVE-2022-42468
05c3a835 is described below
commit 05c3a835912679bca1dbd542e686e4d634dd76e6
Author: Ralph Goers <[email protected]>
AuthorDate: Mon Oct 24 22:58:32 2022 -0700
Add info about CVE-2022-42468
---
content/.doctrees/environment.pickle | Bin 202256 -> 202241 bytes
content/.doctrees/index.doctree | Bin 220940 -> 222549 bytes
content/.doctrees/security.doctree | Bin 31749 -> 43566 bytes
content/_sources/index.txt | 5 ++++-
content/_sources/security.txt | 30 ++++++++++++++++++++++++++++++
content/index.html | 4 +++-
content/searchindex.js | 2 +-
content/security.html | 32 ++++++++++++++++++++++++++++++++
source/sphinx/index.rst | 5 ++++-
source/sphinx/security.rst | 30 ++++++++++++++++++++++++++++++
10 files changed, 104 insertions(+), 4 deletions(-)
diff --git a/content/.doctrees/environment.pickle
b/content/.doctrees/environment.pickle
index 70011aaf..6b7925a5 100644
Binary files a/content/.doctrees/environment.pickle and
b/content/.doctrees/environment.pickle differ
diff --git a/content/.doctrees/index.doctree b/content/.doctrees/index.doctree
index 102ffced..4b59c3dd 100644
Binary files a/content/.doctrees/index.doctree and
b/content/.doctrees/index.doctree differ
diff --git a/content/.doctrees/security.doctree
b/content/.doctrees/security.doctree
index 515b1ea5..ba81b0cb 100644
Binary files a/content/.doctrees/security.doctree and
b/content/.doctrees/security.doctree differ
diff --git a/content/_sources/index.txt b/content/_sources/index.txt
index 5f6764b2..12dffb52 100644
--- a/content/_sources/index.txt
+++ b/content/_sources/index.txt
@@ -33,7 +33,7 @@ application.
.. raw:: html
- <h3>Oct 13, 2022 - Apache Flume 1.11.0 Released</h3>
+ <h3>Oct 24, 2022 - Apache Flume 1.11.0 Released</h3>
The Apache Flume team is pleased to announce the release of Flume 1.11.0.
@@ -47,6 +47,9 @@ This version of Flume adds support for deploying Flume as a
Spring Boot applicat
Kafka source and sink for passing the Kafka timestamp and headers, and allows
SSL hostname verification
to be disabled in the Kafka source and sink.
+Flume 1.11.0 contains a fix for `CVE-2022-42468
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42468>`__.
+See the `Flume Security <./security.html>`__ page for more details.
+
The full change log and documentation are available on the
`Flume 1.11.0 release page <releases/1.11.0.html>`__.
diff --git a/content/_sources/security.txt b/content/_sources/security.txt
index be6fae26..72fe61d2 100644
--- a/content/_sources/security.txt
+++ b/content/_sources/security.txt
@@ -10,6 +10,36 @@ If you need help on building or configuring Flume or other
help on following the
If you have encountered an unlisted security vulnerability or other unexpected
behaviour that has security impact, or if the descriptions here are incomplete,
please report them privately to the `Flume SecurityTeam
<mailto:[email protected]>`__. Thank you!
+.. rubric:: Fixed in Flume 1.11.0
+
+`CVE-2022-42468
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42468>`__: Apache
Flume Improper Input Validation (JNDI Injection) in JMSSource.
+
++------------------------------------------------------------------------------------+--------------------------------------------------------------------------+
+| `CVE-2022-42468
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42468>`__ |
Deserialization of Untrusted Data |
++====================================================================================+==========================================================================+
+| Severity
| Moderate
|
++------------------------------------------------------------------------------------+--------------------------------------------------------------------------+
+| Base CVSS SCore
| 6.6 (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)
|
++------------------------------------------------------------------------------------+--------------------------------------------------------------------------+
+| Versions Affected
| Flume 1.4.0 through 1.10.1
|
++------------------------------------------------------------------------------------+--------------------------------------------------------------------------+
+
+.. rubric:: Description
+
+Apache Flume versions 1.4.0 through 1.10.1 are vulnerable to a remote code
execution (RCE) attack when a configuration uses a JMS Source with an unsafe
providerURL. This issue is fixed by limiting JNDI to allow only the use of the
java protocol or no protocol.
+
+.. rubric:: Mitigation
+
+Do not use JMSSource or upgrade to Apache Flume 1.11.0
+
+.. rubric:: Release Details
+
+In release 1.11.0, if a protocol is specified in the providerUrl parameter
only the java protocol will be allowed. If no protocol is specified it will
also be allowed.
+
+.. rubric:: Credit
+
+This issue was found by Xian Wei.
+
.. rubric:: Fixed in Flume 1.10.1
`CVE-2022-34916
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34916>`__: Apache
Flume vulnerable to a JNDI RCE in JMSMessageConsumer.
diff --git a/content/index.html b/content/index.html
index 5eb1d572..82c3b152 100644
--- a/content/index.html
+++ b/content/index.html
@@ -71,7 +71,7 @@ application.</p>
<img alt="Agent component diagram" src="_images/DevGuide_image00.png" />
</div>
<p class="rubric">News</p>
-<h3>Oct 13, 2022 - Apache Flume 1.11.0 Released</h3><p>The Apache Flume team
is pleased to announce the release of Flume 1.11.0.</p>
+<h3>Oct 24, 2022 - Apache Flume 1.11.0 Released</h3><p>The Apache Flume team
is pleased to announce the release of Flume 1.11.0.</p>
<p>Flume is a distributed, reliable, and available service for efficiently
collecting, aggregating, and moving large amounts of streaming event data.</p>
<p>Flume 1.11.0 is stable, production-ready software, and is
backwards-compatible with
@@ -79,6 +79,8 @@ previous versions of the Flume 1.x codeline.</p>
<p>This version of Flume adds support for deploying Flume as a Spring Boot
application, adds support to the
Kafka source and sink for passing the Kafka timestamp and headers, and allows
SSL hostname verification
to be disabled in the Kafka source and sink.</p>
+<p>Flume 1.11.0 contains a fix for <a class="reference external"
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42468";>CVE-2022-42468</a>.
+See the <a class="reference external" href="./security.html">Flume
Security</a> page for more details.</p>
<p>The full change log and documentation are available on the
<a class="reference external" href="releases/1.11.0.html">Flume 1.11.0 release
page</a>.</p>
<p>This release can be downloaded from the Flume <a class="reference external"
href="download.html">Download</a> page.</p>
diff --git a/content/searchindex.js b/content/searchindex.js
index 6a1d63c2..7b16d43a 100644
--- a/content/searchindex.js
+++ b/content/searchindex.js
@@ -1 +1 @@
-Search.setIndex({objtypes:{},objects:{},titles:["Version 1.0.0 -
Incubating","Version 1.10.0","Version 1.1.0 - Incubating","Version
1.11.0","Version 1.10.1","Version 1.3.1","Version 1.4.0","Version
1.5.0","Version 1.2.0","Version 1.3.0","Version 1.8.0","Flume 1.11.0 Developer
Guide","Version 1.5.0.1","Version 1.9.0","Version 1.6.0","Version
1.7.0","Version 1.5.2","Source Repository","Apache Flume Security
Vulnerabilities","Download","Mailing lists","Flume 1.11.0 User
Guide","Testing","Do [...]
\ No newline at end of file
+Search.setIndex({objtypes:{},objects:{},titles:["Version 1.0.0 -
Incubating","Version 1.10.0","Version 1.1.0 - Incubating","Version
1.11.0","Version 1.10.1","Version 1.3.1","Version 1.4.0","Version
1.5.0","Version 1.2.0","Version 1.3.0","Version 1.8.0","Flume 1.11.0 Developer
Guide","Version 1.5.0.1","Version 1.9.0","Version 1.6.0","Version
1.7.0","Version 1.5.2","Source Repository","Download","Mailing lists","Apache
Flume Security Vulnerabilities","Flume 1.11.0 User Guide","Testing","Do [...]
\ No newline at end of file
diff --git a/content/security.html b/content/security.html
index 2d4d7c0d..f2146594 100644
--- a/content/security.html
+++ b/content/security.html
@@ -65,6 +65,38 @@
<p>Binary patches are never provided. If you need to apply a source code
patch, use the building instructions for the Apache Flume version that you are
using.</p>
<p>If you need help on building or configuring Flume or other help on
following the instructions to mitigate the known vulnerabilities listed here,
please subscribe to, and send your questions to the public Flume Users mailing
list.</p>
<p>If you have encountered an unlisted security vulnerability or other
unexpected behaviour that has security impact, or if the descriptions here are
incomplete, please report them privately to the <a class="reference external"
href="mailto:private%40flume.apche.org";>Flume
SecurityTeam</a>. Thank you!</p>
+<p class="rubric">Fixed in Flume 1.11.0</p>
+<p><a class="reference external"
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42468";>CVE-2022-42468</a>:
Apache Flume Improper Input Validation (JNDI Injection) in JMSSource.</p>
+<table border="1" class="docutils">
+<colgroup>
+<col width="53%" />
+<col width="47%" />
+</colgroup>
+<thead valign="bottom">
+<tr class="row-odd"><th class="head"><a class="reference external"
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42468";>CVE-2022-42468</a></th>
+<th class="head">Deserialization of Untrusted Data</th>
+</tr>
+</thead>
+<tbody valign="top">
+<tr class="row-even"><td>Severity</td>
+<td>Moderate</td>
+</tr>
+<tr class="row-odd"><td>Base CVSS SCore</td>
+<td>6.6 (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)</td>
+</tr>
+<tr class="row-even"><td>Versions Affected</td>
+<td>Flume 1.4.0 through 1.10.1</td>
+</tr>
+</tbody>
+</table>
+<p class="rubric">Description</p>
+<p>Apache Flume versions 1.4.0 through 1.10.1 are vulnerable to a remote code
execution (RCE) attack when a configuration uses a JMS Source with an unsafe
providerURL. This issue is fixed by limiting JNDI to allow only the use of the
java protocol or no protocol.</p>
+<p class="rubric">Mitigation</p>
+<p>Do not use JMSSource or upgrade to Apache Flume 1.11.0</p>
+<p class="rubric">Release Details</p>
+<p>In release 1.11.0, if a protocol is specified in the providerUrl parameter
only the java protocol will be allowed. If no protocol is specified it will
also be allowed.</p>
+<p class="rubric">Credit</p>
+<p>This issue was found by Xian Wei.</p>
<p class="rubric">Fixed in Flume 1.10.1</p>
<p><a class="reference external"
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34916";>CVE-2022-34916</a>:
Apache Flume vulnerable to a JNDI RCE in JMSMessageConsumer.</p>
<table border="1" class="docutils">
diff --git a/source/sphinx/index.rst b/source/sphinx/index.rst
index 5f6764b2..12dffb52 100644
--- a/source/sphinx/index.rst
+++ b/source/sphinx/index.rst
@@ -33,7 +33,7 @@ application.
.. raw:: html
- <h3>Oct 13, 2022 - Apache Flume 1.11.0 Released</h3>
+ <h3>Oct 24, 2022 - Apache Flume 1.11.0 Released</h3>
The Apache Flume team is pleased to announce the release of Flume 1.11.0.
@@ -47,6 +47,9 @@ This version of Flume adds support for deploying Flume as a
Spring Boot applicat
Kafka source and sink for passing the Kafka timestamp and headers, and allows
SSL hostname verification
to be disabled in the Kafka source and sink.
+Flume 1.11.0 contains a fix for `CVE-2022-42468
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42468>`__.
+See the `Flume Security <./security.html>`__ page for more details.
+
The full change log and documentation are available on the
`Flume 1.11.0 release page <releases/1.11.0.html>`__.
diff --git a/source/sphinx/security.rst b/source/sphinx/security.rst
index be6fae26..72fe61d2 100644
--- a/source/sphinx/security.rst
+++ b/source/sphinx/security.rst
@@ -10,6 +10,36 @@ If you need help on building or configuring Flume or other
help on following the
If you have encountered an unlisted security vulnerability or other unexpected
behaviour that has security impact, or if the descriptions here are incomplete,
please report them privately to the `Flume SecurityTeam
<mailto:[email protected]>`__. Thank you!
+.. rubric:: Fixed in Flume 1.11.0
+
+`CVE-2022-42468
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42468>`__: Apache
Flume Improper Input Validation (JNDI Injection) in JMSSource.
+
++------------------------------------------------------------------------------------+--------------------------------------------------------------------------+
+| `CVE-2022-42468
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42468>`__ |
Deserialization of Untrusted Data |
++====================================================================================+==========================================================================+
+| Severity
| Moderate
|
++------------------------------------------------------------------------------------+--------------------------------------------------------------------------+
+| Base CVSS SCore
| 6.6 (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)
|
++------------------------------------------------------------------------------------+--------------------------------------------------------------------------+
+| Versions Affected
| Flume 1.4.0 through 1.10.1
|
++------------------------------------------------------------------------------------+--------------------------------------------------------------------------+
+
+.. rubric:: Description
+
+Apache Flume versions 1.4.0 through 1.10.1 are vulnerable to a remote code
execution (RCE) attack when a configuration uses a JMS Source with an unsafe
providerURL. This issue is fixed by limiting JNDI to allow only the use of the
java protocol or no protocol.
+
+.. rubric:: Mitigation
+
+Do not use JMSSource or upgrade to Apache Flume 1.11.0
+
+.. rubric:: Release Details
+
+In release 1.11.0, if a protocol is specified in the providerUrl parameter
only the java protocol will be allowed. If no protocol is specified it will
also be allowed.
+
+.. rubric:: Credit
+
+This issue was found by Xian Wei.
+
.. rubric:: Fixed in Flume 1.10.1
`CVE-2022-34916
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34916>`__: Apache
Flume vulnerable to a JNDI RCE in JMSMessageConsumer.
