Description

Apache Flume versions 1.4.0 through 1.9.0 are vulnerable to a remote code execution (RCE) attack when a configuration uses a JMS Source with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI to allow only the use of the java protocol or no protocol.

Remediation

References

https://lists.apache.org/thread/16nf6b81zjpdc4y93ho99oxo83ddbsvg

https://issues.apache.org/jira/browse/FLUME-3416

http://www.openwall.com/lists/oss-security/2022/06/14/1

Related Vulnerabilities

CVE-2022-36911 Vulnerability in maven package org.jenkins-ci.plugins:openstack-heat

CVE-2020-36632 Vulnerability in npm package flat

CVE-2023-32998 Vulnerability in maven package com.rapid7:jenkinsci-appspider-plugin

CVE-2023-45135 Vulnerability in maven package org.xwiki.platform:xwiki-platform-web-war

CVE-2023-27898 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Broken Link Issue Tracking Patch Vendor Advisory Mailing List Third Party Advisory NVD-CWE-noinfo