content/security.html (200 lines of code) (raw):
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Apache Flume Security Vulnerabilities — Apache Flume</title>
<link rel="stylesheet" href="_static/flume.css" type="text/css" />
<link rel="stylesheet" href="_static/pygments.css" type="text/css" />
<script type="text/javascript">
var DOCUMENTATION_OPTIONS = {
URL_ROOT: '',
VERSION: '',
COLLAPSE_INDEX: false,
FILE_SUFFIX: '.html',
HAS_SOURCE: true
};
</script>
<script type="text/javascript" src="_static/jquery.js"></script>
<script type="text/javascript" src="_static/underscore.js"></script>
<script type="text/javascript" src="_static/doctools.js"></script>
<link rel="top" title="Apache Flume" href="index.html" />
<link rel="next" title="Documentation" href="documentation.html" />
<link rel="prev" title="Download" href="download.html" />
</head>
<body>
<div class="header">
<table width="100%" border="0">
<tr>
<td width="10%">
<div class="logo">
<a href="index.html">
<img class="logo" src="_static/flume-logo.png" alt="Logo"/>
</a>
</div>
</td>
<td width="2%">
<span class="trademark">™</span>
</td>
<td width="68%" align="center" class="pageTitle">Apache Flume<sup><span class="trademark">™</span></sup>
</td>
<td width="20%">
<a href="https://www.apache.org">
<img src="_static/feather-small.png" alt="Apache Software Foundation" height="70"/>
</a>
</td>
</tr>
</table>
</div>
<div class="document">
<div class="documentwrapper">
<div class="bodywrapper">
<div class="body">
<div class="section" id="apache-flume-security-vulnerabilities">
<h1>Apache Flume Security Vulnerabilities<a class="headerlink" href="#apache-flume-security-vulnerabilities" title="Permalink to this headline">¶</a></h1>
<p>This page lists all the security vulnerabilities fixed in released versions of Apache Flume. Each vulnerability is given a security impact rating by the Apache Flume security team. Note that this rating may vary from platform to platform. We also list the versions of Apache Flume the flaw is known to affect, and where a flaw has not been verified list the version with a question mark.</p>
<p>Binary patches are never provided. If you need to apply a source code patch, use the building instructions for the Apache Flume version that you are using.</p>
<p>If you need help on building or configuring Flume or other help on following the instructions to mitigate the known vulnerabilities listed here, please subscribe to, and send your questions to the public Flume Users mailing list.</p>
<p>If you have encountered an unlisted security vulnerability or other unexpected behaviour that has security impact, or if the descriptions here are incomplete, please report them privately to the <a class="reference external" href="mailto:private%40flume.apche.org">Flume SecurityTeam</a>. Thank you!</p>
<p class="rubric">Fixed in Flume 1.11.0</p>
<p><a class="reference external" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42468">CVE-2022-42468</a>: Apache Flume Improper Input Validation (JNDI Injection) in JMSSource.</p>
<table border="1" class="docutils">
<colgroup>
<col width="53%" />
<col width="47%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head"><a class="reference external" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42468">CVE-2022-42468</a></th>
<th class="head">Deserialization of Untrusted Data</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td>Severity</td>
<td>Moderate</td>
</tr>
<tr class="row-odd"><td>Base CVSS SCore</td>
<td>6.6 (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)</td>
</tr>
<tr class="row-even"><td>Versions Affected</td>
<td>Flume 1.4.0 through 1.10.1</td>
</tr>
</tbody>
</table>
<p class="rubric">Description</p>
<p>Apache Flume versions 1.4.0 through 1.10.1 are vulnerable to a remote code execution (RCE) attack when a configuration uses a JMS Source with an unsafe providerURL. This issue is fixed by limiting JNDI to allow only the use of the java protocol or no protocol.</p>
<p class="rubric">Mitigation</p>
<p>Do not use JMSSource or upgrade to Apache Flume 1.11.0</p>
<p class="rubric">Release Details</p>
<p>In release 1.11.0, if a protocol is specified in the providerUrl parameter only the java protocol will be allowed. If no protocol is specified it will also be allowed.</p>
<p class="rubric">Credit</p>
<p>This issue was found by nbxiglk.</p>
<p class="rubric">Fixed in Flume 1.10.1</p>
<p><a class="reference external" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34916">CVE-2022-34916</a>: Apache Flume vulnerable to a JNDI RCE in JMSMessageConsumer.</p>
<table border="1" class="docutils">
<colgroup>
<col width="53%" />
<col width="47%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head"><a class="reference external" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34916">CVE-2022-34916</a></th>
<th class="head">Deserialization of Untrusted Data</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td>Severity</td>
<td>Moderate</td>
</tr>
<tr class="row-odd"><td>Base CVSS SCore</td>
<td>6.6 (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)</td>
</tr>
<tr class="row-even"><td>Versions Affected</td>
<td>Flume 1.4.0 through 1.10.0</td>
</tr>
</tbody>
</table>
<p class="rubric">Description</p>
<p>Flume’s JMSMessageConsumer class can be configured with a destination name. A JNDI lookup is performed on this name without performing an validation. This could result in untrusted data being deserialized.</p>
<p class="rubric">Mitigation</p>
<p>Upgrade to Flume 1.10.1.</p>
<p>In releases 1.4.0 through 1.10.0 the JMSSource should not be used as it uses JMSMessageConsumer.</p>
<p class="rubric">Release Details</p>
<p>In release 1.10.1, if a protocol is specified in the destination name parameter only the java protocol will be allowed. If no protocol is specified it will also be allowed.</p>
<p class="rubric">Credit</p>
<p>This issue was found by Frentzen Amaral.</p>
<p class="rubric">Fixed in Flume 1.10.0</p>
<p><a class="reference external" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25167">CVE-2022-25167</a>: Apache Flume vulnerable to a JNDI RCE in JMSSource.</p>
<table border="1" class="docutils">
<colgroup>
<col width="53%" />
<col width="47%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head"><a class="reference external" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25167">CVE-2022-25167</a></th>
<th class="head">Deserialization of Untrusted Data</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td>Severity</td>
<td>Moderate</td>
</tr>
<tr class="row-odd"><td>Base CVSS SCore</td>
<td>6.6 (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)</td>
</tr>
<tr class="row-even"><td>Versions Affected</td>
<td>Flume 1.4.0 through 1.9.0</td>
</tr>
</tbody>
</table>
<p class="rubric">Description</p>
<p>Flume’s JMSSource class can be configured with a connection factory name. A JNDI lookup is performed on this name without performing an validation. This could result in untrusted data being deserialized.</p>
<p class="rubric">Mitigation</p>
<p>Upgrade to Flume 1.10.0.</p>
<p>In releases 1.4.0 through 1.9.0 the JMSSource should not be used.</p>
<p class="rubric">Release Details</p>
<p>In release 1.10.0, if a protocol is specified in the connection factory parameter only the java protocol will be allowed. If no protocol is specified it will also be allowed.</p>
<p class="rubric">Credit</p>
<p>This issue was found by the Flume development team.</p>
</div>
</div>
</div>
</div>
<div class="sphinxsidebar">
<div class="sphinxsidebarwrapper"><h3><a href="index.html">Apache Flume</a></h3>
<ul class="current">
<li class="toctree-l1"><a class="reference internal" href="getinvolved.html">How to Get Involved</a></li>
<li class="toctree-l1"><a class="reference internal" href="download.html">Download</a></li>
<li class="toctree-l1 current"><a class="current reference internal" href="">Apache Flume Security Vulnerabilities</a></li>
<li class="toctree-l1"><a class="reference internal" href="documentation.html">Documentation</a></li>
<li class="toctree-l1"><a class="reference internal" href="releases/index.html">Releases</a></li>
<li class="toctree-l1"><a class="reference internal" href="mailinglists.html">Mailing lists</a></li>
<li class="toctree-l1"><a class="reference internal" href="team.html">Team</a></li>
<li class="toctree-l1"><a class="reference internal" href="source.html">Source Repository</a></li>
<li class="toctree-l1"><a class="reference internal" href="testing.html">Testing</a></li>
<li class="toctree-l1"><a class="reference internal" href="license.html">Apache License</a></li>
<li class="toctree-l1"><a class="reference internal" href="subprojects.html">Sub Projects</a></li>
</ul>
<h3>Resources</h3>
<ul class="this-page-menu">
<li><a href="https://issues.apache.org/jira/browse/FLUME">Flume Issue Tracking (Jira)</a></li>
<li><a href="https://cwiki.apache.org/confluence/display/FLUME">Flume Wiki</a></li>
<li><a href="https://cwiki.apache.org/confluence/display/FLUME/Getting+Started">Getting Started Guide</a></li>
</ul>
<h3>Apache</h3>
<ul class="this-page-menu">
<li><a href="https://www.apache.org">Home</a></li>
<li><a href="https://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
<li><a href="https://www.apache.org/licenses">Licenses</a> </li>
<li><a href="https://www.apache.org/foundation/thanks.html">Thanks</a></li>
<li><a href="https://www.apachecon.com">Conferences</a></li>
<li><a href="https://www.apache.org/security/">Security</a></li>
<li><a href="https://privacy.apache.org/policies/privacy-policy-public.html">Data Privacy</a></li>
</ul>
</div>
</div>
<div class="clearer"></div>
</div>
<div class="footer">
© Copyright 2009-2023 The Apache Software Foundation. Apache Flume, Flume, Apache, the Apache feather logo, and the Apache Flume project logo are trademarks of The Apache Software Foundation..
</div>
</body>
</html>