Lucene search

GitHub Advisory DatabaseGHSA-9W4G-FP9H-3Q2V

HistoryOct 26, 2022 - 7:00 p.m.

Apache Flume vulnerable to remote code execution via deserialization of unsafe providerURL

2022-10-2619:00:38

CWE-20

CWE-502

GitHub Advisory Database

github.com

apache flume

jmssource

remote code execution

vulnerability

deserialization

rce

jndi lookup

providerurl

version 1.11.0

software

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.006 Low

EPSS

Percentile

78.7%

JSON

Flume’s JMSSource class can be configured with a providerUrl parameter. A JNDI lookup is performed on this name without performing validation. This could result in untrusted data being deserialized, leading to remote code execution (RCE) attack when a configuration uses a JMS Source with an unsafe providerURL. This issue is fixed in version 1.11.0.

Affected configurations

Vulners

Node

oneidentitysyslog-ngRange<1.11.0open_source

CPENameOperatorVersion
org.apache.flume.flume-ng-sources:flume-jms-sourcelt1.11.0

CPE	Name	Operator	Version
	org.apache.flume.flume-ng-sources:flume-jms-source	lt	1.11.0

References

github.com/advisories/GHSA-9w4g-fp9h-3q2v

github.com/apache/flume/commit/eee179a09df405c1ab55ae25a53b76ca1050bb97

issues.apache.org/jira/browse/FLUME-3437

lists.apache.org/thread/1ckhmp539zr2nd2rs45pocpywk2d9zvz

lists.apache.org/thread/939wkx8o90bp6m2ht3t1sdyo1ncypl78

nvd.nist.gov/vuln/detail/CVE-2022-42468

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.006 Low

EPSS

Percentile

78.7%

JSON

Related for GHSA-9W4G-FP9H-3Q2V