This is an automated email from the ASF dual-hosted git repository. ppkarwasz pushed a commit to branch docs/move-flume-site in repository https://gitbox.apache.org/repos/asf/logging-flume.git
commit 9720ca5a8201528a246d0246c0c45be39a4308a1 Author: Ralph Goers <[email protected]> AuthorDate: Sat Aug 20 14:27:59 2022 -0700 Release 1.10.1 --- source/sphinx/releases/1.10.1.rst | 2 +- source/sphinx/security.rst | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 34 insertions(+), 1 deletion(-) diff --git a/source/sphinx/releases/1.10.1.rst b/source/sphinx/releases/1.10.1.rst index 4d323179..248cf761 100644 --- a/source/sphinx/releases/1.10.1.rst +++ b/source/sphinx/releases/1.10.1.rst @@ -18,7 +18,7 @@ Apache Flume 1.10.1 is the next release of Flume as an Apache top-level project Release Notes - Flume - Version v1.10.1 ** Bug - * [`FLUME-3428 <https://issues.apache.org/jira/browse/FLUME-3428>`__] - Need better parameter validation + * [`FLUME-3428 <https://issues.apache.org/jira/browse/FLUME-3428>`__] - Fix for CVE-2022-34916, improper use of JNDI in JMSMessageConsumer * [`FLUME-3434 <https://issues.apache.org/jira/browse/FLUME-3434>`__] - TwitterSource exceptions on serialization ** Improvement diff --git a/source/sphinx/security.rst b/source/sphinx/security.rst index eef07a2e..ee4ca840 100644 --- a/source/sphinx/security.rst +++ b/source/sphinx/security.rst @@ -10,6 +10,39 @@ If you need help on building or configuring Flume or other help on following the If you have encountered an unlisted security vulnerability or other unexpected behaviour that has security impact, or if the descriptions here are incomplete, please report them privately to the `Flume SecurityTeam <mailto:[email protected]>`__. Thank you! +.. rubric:: Fixed in Flume 1.10.1 + +`CVE-2022-34916 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34916>`__: Apache Flume vulnerable to a JNDI RCE in JMSMessageConsumer. + ++------------------------------------------------------------------------------------+--------------------------------------------------------------------------+ +| `CVE-2022-25167 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34916>`__ | Deserialization of Untrusted Data | ++====================================================================================+==========================================================================+ +| Severity | Moderate | ++------------------------------------------------------------------------------------+--------------------------------------------------------------------------+ +| Base CVSS SCore | 6.6 (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H) | ++------------------------------------------------------------------------------------+--------------------------------------------------------------------------+ +| Versions Affected | Flume 1.4.0 through 1.10.0 | ++------------------------------------------------------------------------------------+--------------------------------------------------------------------------+ + +.. rubric:: Description + +Flume's JMSMessageConsumer class can be configured with a destination name. A JNDI lookup is performed on this name without performing an validation. This could result in untrusted data being deserialized. + +.. rubric:: Mitigation + +Upgrade to Flume 1.10.1. + +In releases 1.4.0 through 1.10.0 the JMSSource should not be used as it uses JMSMessageConsumer. + +.. rubric:: Release Details + +In release 1.10.1, if a protocol is specified in the destination name parameter only the java protocol will be allowed. If no protocol is specified it will also be allowed. + +.. rubric:: Credit + +This issue was found by Frentzen Amaral. + + .. rubric:: Fixed in Flume 1.10.0 `CVE-2022-25167 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25167>`__: Apache Flume vulnerable to a JNDI RCE in JMSSource.
