This is an automated email from the ASF dual-hosted git repository. ppkarwasz pushed a commit to branch docs/move-flume-site in repository https://gitbox.apache.org/repos/asf/logging-flume.git
commit d4b67713f6a518d9e661f3c48d05cdb24ca79afe Author: Ralph Goers <[email protected]> AuthorDate: Mon Jun 13 13:05:04 2022 -0700 Update site for 1.10.0 --- source/sphinx/FlumeUserGuide.rst | 20 +++++++++---------- source/sphinx/index.rst | 6 +++++- source/sphinx/security.rst | 43 ++++++++++++++++++++++++++++++++++++++++ 3 files changed, 57 insertions(+), 12 deletions(-) diff --git a/source/sphinx/FlumeUserGuide.rst b/source/sphinx/FlumeUserGuide.rst index 7d7b3fde..dc5b2b78 100644 --- a/source/sphinx/FlumeUserGuide.rst +++ b/source/sphinx/FlumeUserGuide.rst @@ -197,11 +197,10 @@ several named agents; when a given Flume process is launched a flag is passed te Given this configuration file, we can start Flume as follows:: - $ bin/flume-ng agent --conf conf --conf-file example.conf --name a1 -Dflume.root.logger=INFO,console + $ bin/flume-ng agent --conf conf --conf-file example.conf --name a1 Note that in a full deployment we would typically include one more option: ``--conf=<conf-dir>``. -The ``<conf-dir>`` directory would include a shell script *flume-env.sh* and potentially a log4j properties file. -In this example, we pass a Java option to force Flume to log to the console and we go without a custom environment script. +The ``<conf-dir>`` directory would include a shell script *flume-env.sh* and potentially a log4j configuration file. From a separate terminal, we can then telnet port 44444 and send Flume an event: @@ -249,7 +248,7 @@ configurations will be processed before any of the --conf-file configurations ar For example, a configuration of:: - $ bin/flume-ng agent --conf conf --conf-file example.conf --conf-uri http://localhost:80/flume.conf --conf-uri http://localhost:80/override.conf --name a1 -Dflume.root.logger=INFO,console + $ bin/flume-ng agent --conf conf --conf-file example.conf --conf-uri http://localhost:80/flume.conf --conf-uri http://localhost:80/override.conf --name a1 will cause flume.conf to be read first, override.conf to be merged with it and finally example.conf would be merged last. If it is desirec to have example.conf be the base configuration it should be specified using the @@ -278,7 +277,7 @@ class using the default set of Lookups along with a lookup that uses the configu source for replacement values. For example:: - $ NC_PORT=44444 bin/flume-ng agent --conf conf --conf-file example.conf --name a1 -Dflume.root.logger=INFO,console + $ NC_PORT=44444 bin/flume-ng agent --conf conf --conf-file example.conf --name a1 Note the above is just an example, environment variables can be configured in other ways, including being set in `conf/flume-env.sh`. @@ -292,7 +291,7 @@ As noted, system properties are also supported, so the configuration:: could be used and the startup command could be:: - $ bin/flume-ng agent --conf conf --conf-file example.conf --name a1 -Dflume.root.logger=INFO,console -DNC_PORT=44444 + $ bin/flume-ng agent --conf conf --conf-file example.conf --name a1 -DNC_PORT=44444 Furthermore, because multiple configuration files are allowed the first file could contain:: @@ -308,7 +307,7 @@ and the override file could contain:: In this case the startup command could be:: - $ bin/flume-ng agent --conf conf --conf-file example.conf --conf-file override.conf --name a1 -Dflume.root.logger=INFO,console + $ bin/flume-ng agent --conf conf --conf-file example.conf --conf-file override.conf --name a1 Note that the method for specifying environment variables as was done in prior versions will stil work but has been deprecated in favor of using ${env:varName}. @@ -348,10 +347,9 @@ To enable data logging, set the Java system property ``-Dorg.apache.flume.log.ra in the same way described above. For most components, the log4j logging level must also be set to DEBUG or TRACE to make event-specific logging appear in the Flume logs. -Here is an example of enabling both configuration logging and raw data logging while also -setting the Log4j loglevel to DEBUG for console output:: +Here is an example of enabling both configuration logging and raw data logging:: - $ bin/flume-ng agent --conf conf --conf-file example.conf --name a1 -Dflume.root.logger=DEBUG,console -Dorg.apache.flume.log.printconfig=true -Dorg.apache.flume.log.rawdata=true + $ bin/flume-ng agent --conf conf --conf-file example.conf --name a1 -Dorg.apache.flume.log.printconfig=true -Dorg.apache.flume.log.rawdata=true Zookeeper based Configuration @@ -369,7 +367,7 @@ Following is how the Zookeeper Node tree would look like for agents a1 and a2 Once the configuration file is uploaded, start the agent with following options - $ bin/flume-ng agent --conf conf -z zkhost:2181,zkhost1:2181 -p /flume --name a1 -Dflume.root.logger=INFO,console + $ bin/flume-ng agent --conf conf -z zkhost:2181,zkhost1:2181 -p /flume --name a1 ================== ================ ========================================================================= Argument Name Default Description diff --git a/source/sphinx/index.rst b/source/sphinx/index.rst index a7507343..b5a92b77 100644 --- a/source/sphinx/index.rst +++ b/source/sphinx/index.rst @@ -33,7 +33,7 @@ application. .. raw:: html - <h3>June 5, 2022 - Apache Flume 1.10.0 Released</h3> + <h3>June 13, 2022 - Apache Flume 1.10.0 Released</h3> The Apache Flume team is pleased to announce the release of Flume 1.10.0. @@ -43,6 +43,9 @@ collecting, aggregating, and moving large amounts of streaming event data. Flume 1.10.0 is stable, production-ready software, and is backwards-compatible with previous versions of the Flume 1.x codeline. +Flume 1.10.0 contains a fix for `CVE-2022-25167 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25167>`__. +See the `Flume Security <./security.html>`__ page for more details. + This version of Flume upgrades many dependencies, resolving the CVEs associated with them. Enhancements included in this release include the addition of a LoadBalancingChannelSelector, the ability to retrieve the Flume configuration from a remote source such as a Spring @@ -575,6 +578,7 @@ Feel free to post to the User's mailing list with any questions. getinvolved download + security documentation releases/index mailinglists diff --git a/source/sphinx/security.rst b/source/sphinx/security.rst new file mode 100644 index 00000000..eef07a2e --- /dev/null +++ b/source/sphinx/security.rst @@ -0,0 +1,43 @@ +===================================== +Apache Flume Security Vulnerabilities +===================================== + +This page lists all the security vulnerabilities fixed in released versions of Apache Flume. Each vulnerability is given a security impact rating by the Apache Flume security team. Note that this rating may vary from platform to platform. We also list the versions of Apache Flume the flaw is known to affect, and where a flaw has not been verified list the version with a question mark. + +Binary patches are never provided. If you need to apply a source code patch, use the building instructions for the Apache Flume version that you are using. + +If you need help on building or configuring Flume or other help on following the instructions to mitigate the known vulnerabilities listed here, please subscribe to, and send your questions to the public Flume Users mailing list. + +If you have encountered an unlisted security vulnerability or other unexpected behaviour that has security impact, or if the descriptions here are incomplete, please report them privately to the `Flume SecurityTeam <mailto:[email protected]>`__. Thank you! + +.. rubric:: Fixed in Flume 1.10.0 + +`CVE-2022-25167 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25167>`__: Apache Flume vulnerable to a JNDI RCE in JMSSource. + ++------------------------------------------------------------------------------------+--------------------------------------------------------------------------+ +| `CVE-2022-25167 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25167>`__ | Deserialization of Untrusted Data | ++====================================================================================+==========================================================================+ +| Severity | Moderate | ++------------------------------------------------------------------------------------+--------------------------------------------------------------------------+ +| Base CVSS SCore | 6.6 (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H) | ++------------------------------------------------------------------------------------+--------------------------------------------------------------------------+ +| Versions Affected | Flume 1.4.0 through 1.9.0 | ++------------------------------------------------------------------------------------+--------------------------------------------------------------------------+ + +.. rubric:: Description + +Flume's JMSSource class can be configured with a connection factory name. A JNDI lookup is performed on this name without performing an validation. This could result in untrusted data being deserialized. + +.. rubric:: Mitigation + +Upgrade to Flume 1.10.0. + +In releases 1.4.0 through 1.9.0 the JMSSource should not be used. + +.. rubric:: Release Details + +In release 1.10.0, if a protocol is specified in the connection factory parameter only the java protocol will be allowed. If no protocol is specified it will also be allowed. + +.. rubric:: Credit + +This issue was found by the Flume development team.
