Login Sign Up

CVE-2022-25167

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

Apache Flume versions 1.4.0 through 1.9.0 are vulnerable to remote code execution when using JMS Source with JNDI LDAP data source URI. Attackers controlling the LDAP server can execute arbitrary code on vulnerable Flume instances. This affects all deployments using the vulnerable configuration.

💻 Affected Systems

Products:
  • Apache Flume
Versions: 1.4.0 through 1.9.0
Operating Systems: All
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when using JMS Source with JNDI LDAP data source URI configuration. Default configurations are not affected.

📦 What is this software?

Flume by Apache

View all CVEs affecting Flume →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining complete control over the Flume server, potentially leading to data exfiltration, lateral movement, or ransomware deployment.

🟠

Likely Case

Remote code execution allowing attackers to run arbitrary commands, install malware, or access sensitive data processed by Flume.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent attackers from reaching vulnerable systems.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires attacker control of LDAP server referenced in configuration. Similar to Log4Shell exploitation patterns.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.10.0 and later

Vendor Advisory: https://lists.apache.org/thread/16nf6b81zjpdc4y93ho99oxo83ddbsvg

Restart Required: Yes

Instructions:

1. Upgrade to Apache Flume 1.10.0 or later. 2. Replace JMS Source configuration to use fixed version. 3. Restart Flume services. 4. Verify JNDI is limited to java protocol only.

🔧 Temporary Workarounds

Disable JMS Source with JNDI LDAP

all

Remove or disable JMS Source configurations using JNDI LDAP data source URIs

Edit flume configuration files to remove JMS Source with JNDI LDAP settings

Network Segmentation

all

Restrict Flume servers from accessing external LDAP servers

Configure firewall rules to block outbound LDAP traffic from Flume servers

🧯 If You Can't Patch

  • Implement strict network controls to prevent Flume servers from accessing untrusted LDAP servers
  • Monitor for suspicious outbound LDAP connections from Flume servers

🔍 How to Verify

Check if Vulnerable:

Check Flume configuration files for JMS Source with JNDI LDAP data source URI settings

Check Version:

flume-ng version

Verify Fix Applied:

Verify Flume version is 1.10.0+ and JNDI configuration only allows java protocol

📡 Detection & Monitoring

Log Indicators:

  • JNDI lookup attempts
  • LDAP connection errors
  • Unexpected process execution

Network Indicators:

  • Outbound LDAP connections from Flume servers to untrusted IPs
  • Unusual network traffic patterns

SIEM Query:

source="flume" AND (jndi OR ldap) AND (lookup OR connection)

📊 Metadata

CVE ID: CVE-2022-25167
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-20
Published: June 14, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-25167, you might also want to check these:

CVE-2022-47190 10.0

CVE-2022-47190 allows remote attackers to upload malicious firmware containing a webshell to Generex...

Same vulnerability type (CWE-20)
CVE-2024-3400 10.0

CVE-2024-3400 is a critical command injection vulnerability in Palo Alto Networks PAN-OS GlobalProte...

Same vulnerability type (CWE-20)
CVE-2023-42802 10.0

This critical vulnerability in GLPI allows attackers to upload malicious PHP files to unauthorized d...

Same vulnerability type (CWE-20)