CVE-2022-42468: Apache Flume Remote Code Execution Vulnerability

Apache Flume released the latest security bulletin on October 26, which contains a remote code execution vulnerability (CVE-2022-42468). The flaw severity is medium. The security researcher nbxiglk has been credited with reporting this flaw.

Apache Flume is a distributed, reliable, and available service for efficiently collecting, aggregating, and moving large amounts of log data. It has a simple and flexible architecture based on streaming data flows. It is robust and fault tolerant with tunable reliability mechanisms and many failover and recovery mechanisms. The system is centrally managed and allows for intelligent dynamic management. It uses a simple extensible data model that allows for online analytic applications.

CVE-2022-42468 bug was caused by the deserialization of untrusted data when a configuration uses a JMS Source with an unsafe providerURL. An attacker could exploit this vulnerability to execute arbitrary code on the system.

“Flume’s JMSSource class can be configured with a providerUrl parameter. A JNDI lookup is performed on this name without performing an validation. This could result in untrusted data being deserialized,” read the mailing list.

The bug affects Apache Flume versions 1.4.0 through 1.10.1. In this regard, we recommend that users upgrade Apache Flume to the latest version (1.11) as soon as possible. In release 1.11.0, if a protocol is specified in the connection factory parameter only the java protocol will be allowed. If no protocol is specified it will also be allowed. Also, users can disable JMSSource to migrate this flaw.