This is an automated email from the ASF dual-hosted git repository.

ppkarwasz pushed a commit to branch docs/move-flume-site
in repository https://gitbox.apache.org/repos/asf/logging-flume.git

commit 9720ca5a8201528a246d0246c0c45be39a4308a1
Author: Ralph Goers <[email protected]>
AuthorDate: Sat Aug 20 14:27:59 2022 -0700

    Release 1.10.1
---
 source/sphinx/releases/1.10.1.rst |  2 +-
 source/sphinx/security.rst        | 33 +++++++++++++++++++++++++++++++++
 2 files changed, 34 insertions(+), 1 deletion(-)

diff --git a/source/sphinx/releases/1.10.1.rst 
b/source/sphinx/releases/1.10.1.rst
index 4d323179..248cf761 100644
--- a/source/sphinx/releases/1.10.1.rst
+++ b/source/sphinx/releases/1.10.1.rst
@@ -18,7 +18,7 @@ Apache Flume 1.10.1 is the next release of Flume as an Apache 
top-level project
 Release Notes - Flume - Version v1.10.1
 
 ** Bug
-    * [`FLUME-3428 <https://issues.apache.org/jira/browse/FLUME-3428>`__] - 
Need better parameter validation
+    * [`FLUME-3428 <https://issues.apache.org/jira/browse/FLUME-3428>`__] - 
Fix for CVE-2022-34916, improper use of JNDI in JMSMessageConsumer
     * [`FLUME-3434 <https://issues.apache.org/jira/browse/FLUME-3434>`__] - 
TwitterSource exceptions on serialization
 
 ** Improvement
diff --git a/source/sphinx/security.rst b/source/sphinx/security.rst
index eef07a2e..ee4ca840 100644
--- a/source/sphinx/security.rst
+++ b/source/sphinx/security.rst
@@ -10,6 +10,39 @@ If you need help on building or configuring Flume or other 
help on following the
 
 If you have encountered an unlisted security vulnerability or other unexpected 
behaviour that has security impact, or if the descriptions here are incomplete, 
please report them privately to the `Flume SecurityTeam 
<mailto:[email protected]>`__. Thank you!
 
+.. rubric:: Fixed in Flume 1.10.1
+
+`CVE-2022-34916 
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34916>`__: Apache 
Flume vulnerable to a JNDI RCE in JMSMessageConsumer.
+
++------------------------------------------------------------------------------------+--------------------------------------------------------------------------+
+| `CVE-2022-25167 
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34916>`__ | 
Deserialization of Untrusted Data                                        |
++====================================================================================+==========================================================================+
+| Severity                                                                     
      | Moderate                                                                
 |
++------------------------------------------------------------------------------------+--------------------------------------------------------------------------+
+| Base CVSS SCore                                                              
      | 6.6 (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)                               
 |
++------------------------------------------------------------------------------------+--------------------------------------------------------------------------+
+| Versions Affected                                                            
      | Flume 1.4.0 through 1.10.0                                              
 |
++------------------------------------------------------------------------------------+--------------------------------------------------------------------------+
+
+.. rubric:: Description
+
+Flume's JMSMessageConsumer class can be configured with a destination name. A 
JNDI lookup is performed on this name without performing an validation. This 
could result in untrusted data being deserialized.
+
+.. rubric:: Mitigation
+
+Upgrade to Flume 1.10.1.
+
+In releases 1.4.0 through 1.10.0 the JMSSource should not be used as it uses 
JMSMessageConsumer.
+
+.. rubric:: Release Details
+
+In release 1.10.1, if a protocol is specified in the destination name 
parameter only the java protocol will be allowed. If no protocol is specified 
it will also be allowed.
+
+.. rubric:: Credit
+
+This issue was found by Frentzen Amaral.
+
+
 .. rubric:: Fixed in Flume 1.10.0
 
 `CVE-2022-25167 
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25167>`__: Apache 
Flume vulnerable to a JNDI RCE in JMSSource.

Reply via email to