Fixed CVEs in Flow Management

Review the list of common vulnerabilities and exposures fixed in Cloudera Flow Management (CFM) 2.2.7 in Data Hub in CDP Public Cloud 7.2.17.

Potential Deserialization of Untrusted Data with JNDI in JMS Components. The JndiJmsConnectionFactoryProvider controller service along with the ConsumeJMS and PublishJMS processors, in Apache NiFi from 1.8.0 through 1.21.0 allow an authenticated and authorized user to configure URL and library properties that enable deserialization of untrusted data from a remote location. The resolution validates the JNDI URL and restricts locations to a set of allowed schemes. For more information, see Behavioral changes.