Vulnerability DatabaseCVE-2022-25167

CVE-2022-25167:
Java vulnerability analysis and mitigation

Overview

Apache Flume versions 1.4.0 through 1.9.0 were identified with a remote code execution (RCE) vulnerability, tracked as CVE-2022-25167. The vulnerability was discovered by the Flume development team and publicly disclosed on June 14, 2022. The issue affects configurations that use a JMS Source with a JNDI LDAP data source URI, particularly when an attacker has control of the target LDAP server (CVE Details).

Technical details

The vulnerability exists in Flume's JMSSource class, which can be configured with a connection factory name. The core issue lies in the JNDI lookup process, which is performed on this name without proper validation, potentially leading to the deserialization of untrusted data. The severity of this vulnerability is classified as medium (Openwall).

Impact

When exploited, this vulnerability could allow attackers to execute remote code on affected systems through the deserialization of untrusted data when using the JMS Source component with JNDI LDAP data source URIs (NVD).

Mitigation and workarounds

The vulnerability has been fixed in Apache Flume version 1.10.0, which implements stricter protocol validation. In the new version, if a protocol is specified in the connection factory parameter, only the java protocol is allowed. If no protocol is specified, it is also allowed. For versions 1.4.0 through 1.9.0, it is recommended not to use the JMSSource component (Openwall).

Additional resources

Source: This report was generated using AI

View vulnerable instances

Not a Wiz customer? See which CVEs are exploitable in your environment.

Get a CVE Assessment

9.8

Score

Published June 14, 2022

Severity CRITICAL

CNA Score N/A

Affected Technologies

Java
Homebrew

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 93.4

Exploitation Probability (EPSS) 11.6

Affected packages and libraries

org.apache.flume.flume-ng-sources:flume-jms-source
org.apache.flume:flume-parent

Sources

NVD
GitHub Advisory Database
- Maven Severity HIGHHas FixAdded at: Jun 17, 2022
Homebrew
- Homebrew Severity CRITICALHas FixAdded at: Feb 12, 2024

Get a CVE risk assessment

Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.

Request assessment

Related Java vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2025-14306	CRITICAL	10	Java	net.sf.robocode:robocode.core	No	Yes	Dec 09, 2025
CVE-2025-14307	CRITICAL	9.3	Java	net.sf.robocode:robocode.battle	No	Yes	Dec 09, 2025
CVE-2025-66566	HIGH	8.2	Java	at.yawk.lz4:lz4-java	No	Yes	Dec 05, 2025
CVE-2025-66623	HIGH	7.4	Java	io.strimzi:strimzi	No	Yes	Dec 05, 2025
GHSA-93fv-4pm9-xp28	MEDIUM	6.9	Java	net.dv8tion:jda	No	Yes	Dec 09, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

CVE-2022-25167: Java vulnerability analysis and mitigation