Lucene search

GoogleOSV:GHSA-9W4G-FP9H-3Q2V

HistoryOct 26, 2022 - 7:00 p.m.

Apache Flume vulnerable to remote code execution via deserialization of unsafe providerURL

2022-10-2619:00:38

Google

osv.dev

apache flume

remote code execution

deserialization

providerurl

jndi lookup

validation

rce

software update

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.006

Percentile

79.5%

JSON

Flume’s JMSSource class can be configured with a providerUrl parameter. A JNDI lookup is performed on this name without performing validation. This could result in untrusted data being deserialized, leading to remote code execution (RCE) attack when a configuration uses a JMS Source with an unsafe providerURL. This issue is fixed in version 1.11.0.

References

github.com/apache/flume

github.com/apache/flume/commit/eee179a09df405c1ab55ae25a53b76ca1050bb97

issues.apache.org/jira/browse/FLUME-3437

lists.apache.org/thread/1ckhmp539zr2nd2rs45pocpywk2d9zvz

lists.apache.org/thread/939wkx8o90bp6m2ht3t1sdyo1ncypl78

nvd.nist.gov/vuln/detail/CVE-2022-42468

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.006

Percentile

79.5%

JSON

Related for OSV:GHSA-9W4G-FP9H-3Q2V