This is an automated email from the ASF dual-hosted git repository. ppkarwasz pushed a commit to branch docs/move-flume-site in repository https://gitbox.apache.org/repos/asf/logging-flume.git
commit 6ef617db9c9fa5f37d91613c4005be3a6fd58420 Author: Ralph Goers <[email protected]> AuthorDate: Mon Oct 24 22:58:32 2022 -0700 Add info about CVE-2022-42468 --- source/sphinx/index.rst | 5 ++++- source/sphinx/security.rst | 30 ++++++++++++++++++++++++++++++ 2 files changed, 34 insertions(+), 1 deletion(-) diff --git a/source/sphinx/index.rst b/source/sphinx/index.rst index 5f6764b2..12dffb52 100644 --- a/source/sphinx/index.rst +++ b/source/sphinx/index.rst @@ -33,7 +33,7 @@ application. .. raw:: html - <h3>Oct 13, 2022 - Apache Flume 1.11.0 Released</h3> + <h3>Oct 24, 2022 - Apache Flume 1.11.0 Released</h3> The Apache Flume team is pleased to announce the release of Flume 1.11.0. @@ -47,6 +47,9 @@ This version of Flume adds support for deploying Flume as a Spring Boot applicat Kafka source and sink for passing the Kafka timestamp and headers, and allows SSL hostname verification to be disabled in the Kafka source and sink. +Flume 1.11.0 contains a fix for `CVE-2022-42468 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42468>`__. +See the `Flume Security <./security.html>`__ page for more details. + The full change log and documentation are available on the `Flume 1.11.0 release page <releases/1.11.0.html>`__. diff --git a/source/sphinx/security.rst b/source/sphinx/security.rst index be6fae26..72fe61d2 100644 --- a/source/sphinx/security.rst +++ b/source/sphinx/security.rst @@ -10,6 +10,36 @@ If you need help on building or configuring Flume or other help on following the If you have encountered an unlisted security vulnerability or other unexpected behaviour that has security impact, or if the descriptions here are incomplete, please report them privately to the `Flume SecurityTeam <mailto:[email protected]>`__. Thank you! +.. rubric:: Fixed in Flume 1.11.0 + +`CVE-2022-42468 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42468>`__: Apache Flume Improper Input Validation (JNDI Injection) in JMSSource. + ++------------------------------------------------------------------------------------+--------------------------------------------------------------------------+ +| `CVE-2022-42468 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42468>`__ | Deserialization of Untrusted Data | ++====================================================================================+==========================================================================+ +| Severity | Moderate | ++------------------------------------------------------------------------------------+--------------------------------------------------------------------------+ +| Base CVSS SCore | 6.6 (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H) | ++------------------------------------------------------------------------------------+--------------------------------------------------------------------------+ +| Versions Affected | Flume 1.4.0 through 1.10.1 | ++------------------------------------------------------------------------------------+--------------------------------------------------------------------------+ + +.. rubric:: Description + +Apache Flume versions 1.4.0 through 1.10.1 are vulnerable to a remote code execution (RCE) attack when a configuration uses a JMS Source with an unsafe providerURL. This issue is fixed by limiting JNDI to allow only the use of the java protocol or no protocol. + +.. rubric:: Mitigation + +Do not use JMSSource or upgrade to Apache Flume 1.11.0 + +.. rubric:: Release Details + +In release 1.11.0, if a protocol is specified in the providerUrl parameter only the java protocol will be allowed. If no protocol is specified it will also be allowed. + +.. rubric:: Credit + +This issue was found by Xian Wei. + .. rubric:: Fixed in Flume 1.10.1 `CVE-2022-34916 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34916>`__: Apache Flume vulnerable to a JNDI RCE in JMSMessageConsumer.
