Bug 2126222 (CVE-2022-34916)
| Summary: | CVE-2022-34916 flume: JNDI Injection in JMSMessageConsumer | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Chess Hazlett <chazlett> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED NOTABUG | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | asoldano, ataylor, bbaranow, bmaxwell, brian.stansberry, cdewolf, chazlett, chfoley, darran.lofthouse, dkreling, dosoudil, fjuma, istudens, ivassile, iweiss, jochrist, jross, jscholz, jwon, lgao, mmclaugh, mokumar, mosmerov, msochure, msvehla, nwallace, pesilva, pjindal, pmackay, rstancel, smaestri, swoodman, tom.jenkinson |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | flume 1.10.1 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-11-30 10:32:13 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 2120123 | ||
|
Description
Chess Hazlett
2022-09-12 22:16:44 UTC
jdg does not ship flume in its delivered code, deptopia references indicate log4j2 for some reason. amq clients points to affected version in maven pom. amq streams does not ship. eap-7 appears to enable flume. eap-xp4 does not ship. This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-34916 |