CVE-2022-34916: Apache Flume Remote Code Execution Vulnerability

Apache Flume released the latest security bulletin on August 21, which contains a remote code execution vulnerability (CVE-2022-34916). The security researcher Frentzen Amaral has been credited with reporting this flaw.

Apache Flume is a distributed, reliable, and available service for efficiently collecting, aggregating, and moving large amounts of log data. It has a simple and flexible architecture based on streaming data flows. It is robust and fault tolerant with tunable reliability mechanisms and many failover and recovery mechanisms. The system is centrally managed and allows for intelligent dynamic management. It uses a simple extensible data model that allows for online analytic applications.

CVE-2022-34916 flaw is a “remote code execution (RCE) attack when a configuration uses a JMS Source with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI to allow only the use of the java protocol or no protocol,” read the security bulletin.

The bug affects Apache Flume version 1.4 through 1.10. In this regard, we recommend that users upgrade Apache Flume to the latest version (1.10.1) as soon as possible.