This is an automated email from the ASF dual-hosted git repository.

ppkarwasz pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/logging-flume.git

commit 7ea98caca210225eb92757197b6fdae50b9c5365
Author: Ralph Goers <[email protected]>
AuthorDate: Mon Oct 24 22:58:32 2022 -0700

    Add info about CVE-2022-42468
---
 source/sphinx/index.rst    |  5 ++++-
 source/sphinx/security.rst | 30 ++++++++++++++++++++++++++++++
 2 files changed, 34 insertions(+), 1 deletion(-)

diff --git a/source/sphinx/index.rst b/source/sphinx/index.rst
index 5f6764b2..12dffb52 100644
--- a/source/sphinx/index.rst
+++ b/source/sphinx/index.rst
@@ -33,7 +33,7 @@ application.
 
 .. raw:: html
 
-   <h3>Oct 13, 2022 - Apache Flume 1.11.0 Released</h3>
+   <h3>Oct 24, 2022 - Apache Flume 1.11.0 Released</h3>
 
 The Apache Flume team is pleased to announce the release of Flume 1.11.0.
 
@@ -47,6 +47,9 @@ This version of Flume adds support for deploying Flume as a 
Spring Boot applicat
 Kafka source and sink for passing the Kafka timestamp and headers, and allows 
SSL hostname verification
 to be disabled in the Kafka source and sink.
 
+Flume 1.11.0 contains a fix for `CVE-2022-42468 
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42468>`__.
+See the `Flume Security <./security.html>`__ page for more details.
+
 The full change log and documentation are available on the
 `Flume 1.11.0 release page <releases/1.11.0.html>`__.
 
diff --git a/source/sphinx/security.rst b/source/sphinx/security.rst
index be6fae26..72fe61d2 100644
--- a/source/sphinx/security.rst
+++ b/source/sphinx/security.rst
@@ -10,6 +10,36 @@ If you need help on building or configuring Flume or other 
help on following the
 
 If you have encountered an unlisted security vulnerability or other unexpected 
behaviour that has security impact, or if the descriptions here are incomplete, 
please report them privately to the `Flume SecurityTeam 
<mailto:[email protected]>`__. Thank you!
 
+.. rubric:: Fixed in Flume 1.11.0
+
+`CVE-2022-42468 
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42468>`__: Apache 
Flume Improper Input Validation (JNDI Injection) in JMSSource.
+
++------------------------------------------------------------------------------------+--------------------------------------------------------------------------+
+| `CVE-2022-42468 
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42468>`__ | 
Deserialization of Untrusted Data                                        |
++====================================================================================+==========================================================================+
+| Severity                                                                     
      | Moderate                                                                
 |
++------------------------------------------------------------------------------------+--------------------------------------------------------------------------+
+| Base CVSS SCore                                                              
      | 6.6 (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)                               
 |
++------------------------------------------------------------------------------------+--------------------------------------------------------------------------+
+| Versions Affected                                                            
      | Flume 1.4.0 through 1.10.1                                              
 |
++------------------------------------------------------------------------------------+--------------------------------------------------------------------------+
+
+.. rubric:: Description
+
+Apache Flume versions 1.4.0 through 1.10.1 are vulnerable to a remote code 
execution (RCE) attack when a configuration uses a JMS Source with an unsafe 
providerURL. This issue is fixed by limiting JNDI to allow only the use of the 
java protocol or no protocol.
+
+.. rubric:: Mitigation
+
+Do not use JMSSource or upgrade to Apache Flume 1.11.0
+
+.. rubric:: Release Details
+
+In release 1.11.0, if a protocol is specified in the providerUrl parameter 
only the java protocol will be allowed. If no protocol is specified it will 
also be allowed.
+
+.. rubric:: Credit
+
+This issue was found by Xian Wei.
+
 .. rubric:: Fixed in Flume 1.10.1
 
 `CVE-2022-34916 
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34916>`__: Apache 
Flume vulnerable to a JNDI RCE in JMSMessageConsumer.

Reply via email to