Apache Flume vulnerable to a JNDI RCE in JMSSource
Description
Apache Flume versions 1.4.0 to 1.9.0 allow remote code execution via a malicious JNDI LDAP URI in JMS Source configuration.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Flume versions 1.4.0 to 1.9.0 allow remote code execution via a malicious JNDI LDAP URI in JMS Source configuration.
Vulnerability
Description
Apache Flume versions 1.4.0 through 1.9.0 contain a remote code execution vulnerability in the JMS Source component. The vulnerability arises because the JMSSource class performs a JNDI lookup on a user-controlled connection factory name without proper validation. If an attacker can control the target LDAP server, they can supply a malicious JNDI URI that triggers deserialization of untrusted data [1][2].
Exploitation
Prerequisites
Exploitation requires that a Flume agent is configured with a JMS Source that uses a JNDI LDAP data source URI. The attacker must have control over the LDAP server referenced in the configuration. No other authentication or network access is needed beyond influencing the LDAP server content [1][4].
Impact
Successful exploitation allows an attacker to achieve remote code execution on the Flume agent, leading to potential full compromise of the affected system [1][4]. This vulnerability is rated as medium severity [4].
Mitigation
The issue is fixed in Apache Flume 1.10.0 by limiting JNDI to only allow the "java" protocol or no protocol at all [1][2]. The fix was implemented via commit dafb26ccb17, which adds URI scheme validation [3]. Users running versions 1.4.0 through 1.9.0 should upgrade to 1.10.0 or avoid using the JMSSource component entirely [4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.flume.flume-ng-sources:flume-jms-sourceMaven | >= 1.4.0, < 1.10.0 | 1.10.0 |
Affected products
2- Apache Software Foundation/Apache Flumev5Range: flume-jms-source
Patches
1dafb26ccb172FLUME-3416 - Improve input validation
2 files changed · +22 −0
flume-ng-sources/flume-jms-source/src/main/java/org/apache/flume/source/jms/JMSSource.java+15 −0 modified@@ -19,6 +19,8 @@ import java.io.File; import java.io.IOException; +import java.net.URI; +import java.net.URISyntaxException; import java.util.List; import java.util.Locale; import java.util.Properties; @@ -53,6 +55,7 @@ @InterfaceStability.Unstable public class JMSSource extends AbstractPollableSource implements BatchSizeSupported { private static final Logger logger = LoggerFactory.getLogger(JMSSource.class); + private static final String JAVA_SCHEME = "java"; // setup by constructor private final InitialContextFactory initialContextFactory; @@ -179,6 +182,14 @@ protected void doConfigure(Context context) throws FlumeException { String connectionFactoryName = context.getString( JMSSourceConfiguration.CONNECTION_FACTORY, JMSSourceConfiguration.CONNECTION_FACTORY_DEFAULT).trim(); + try { + URI uri = new URI(connectionFactoryName); + String scheme = uri.getScheme(); + assertTrue(scheme == null || scheme.equals(JAVA_SCHEME), + "Unsupported JNDI URI: " + connectionFactoryName); + } catch (URISyntaxException ex) { + logger.warn("Invalid JNDI URI - {}", connectionFactoryName); + } assertNotEmpty(initialContextFactoryName, String.format( "Initial Context Factory is empty. This is specified by %s", @@ -272,6 +283,10 @@ private void assertNotEmpty(String arg, String msg) { Preconditions.checkArgument(!arg.isEmpty(), msg); } + private void assertTrue(boolean arg, String msg) { + Preconditions.checkArgument(arg, msg); + } + @Override protected synchronized Status doProcess() throws EventDeliveryException { boolean error = true;
flume-ng-sources/flume-jms-source/src/test/java/org/apache/flume/source/jms/TestJMSSource.java+7 −0 modified@@ -125,6 +125,13 @@ public void testConfigureWithoutDestinationName() throws Exception { source.configure(context); } + @Test(expected = IllegalArgumentException.class) + public void testConfigureWithConnectionFactory() throws Exception { + context.put(JMSSourceConfiguration.CONNECTION_FACTORY, + "ldap://localhost:319/connectionFactory"); + source.configure(context); + } + @Test(expected = FlumeException.class) public void testConfigureWithBadDestinationType() throws Exception { context.put(JMSSourceConfiguration.DESTINATION_TYPE, "DUMMY");
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-x5m7-rwfx-w7qmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-25167ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/06/14/1ghsamailing-listx_refsource_MLISTWEB
- github.com/apache/flume/commit/dafb26ccb172141c6e14e95447e1b6ae38e9a7d0ghsaWEB
- issues.apache.org/jira/browse/FLUME-3416ghsax_refsource_MISCWEB
- lists.apache.org/thread/16nf6b81zjpdc4y93ho99oxo83ddbsvgghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.