CVE-2022-34916: Improper Input Validation (JNDI Injection) in JMSMessageConsumer
First published: Sun Aug 21 2022(Updated: )
Apache Flume versions 1.4.0 through 1.10.0 are vulnerable to a remote code execution (RCE) attack when a configuration uses a JMS Source with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI to allow only the use of the java protocol or no protocol.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Flume | >=1.4.0<1.10.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2022-34916?
CVE-2022-34916 is classified as a critical vulnerability due to its potential for remote code execution.
How do I fix CVE-2022-34916?
To fix CVE-2022-34916, upgrade Apache Flume to version 1.10.1 or later, ensuring that JNDI is configured securely.
Who is affected by CVE-2022-34916?
Apache Flume versions 1.4.0 to 1.10.0 are affected by CVE-2022-34916 if configured with a JMS Source using a JNDI LDAP data source URI.
What kind of attack does CVE-2022-34916 enable?
CVE-2022-34916 enables a remote code execution attack if an attacker gains control of the target LDAP server.
When was CVE-2022-34916 discovered?
CVE-2022-34916 was disclosed in 2022 and involves vulnerabilities present in several versions of Apache Flume.
- collector/nvd-index
- agent/references
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/title
- agent/last-modified-date
- agent/remedy
- agent/author
- agent/severity
- agent/description
- agent/first-publish-date
- agent/event
- agent/tags
- agent/source
- vendor/apache
- canonical/apache flume
- version/apache flume/1.4.0