You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by al...@apache.org on 2018/09/04 21:32:21 UTC
[1/2] nifi-site git commit: Updated security page with 1.7.0 fixes.
Repository: nifi-site
Updated Branches:
refs/heads/master a26cecba2 -> 3eba5fa99
Updated security page with 1.7.0 fixes.
Project: http://git-wip-us.apache.org/repos/asf/nifi-site/repo
Commit: http://git-wip-us.apache.org/repos/asf/nifi-site/commit/0e115932
Tree: http://git-wip-us.apache.org/repos/asf/nifi-site/tree/0e115932
Diff: http://git-wip-us.apache.org/repos/asf/nifi-site/diff/0e115932
Branch: refs/heads/master
Commit: 0e11593289440f9d05ebfedb49b300290c66e66c
Parents: a26cecb
Author: Andy LoPresto <al...@apache.org>
Authored: Tue Sep 4 14:22:49 2018 -0700
Committer: Andy LoPresto <al...@apache.org>
Committed: Tue Sep 4 14:22:49 2018 -0700
----------------------------------------------------------------------
src/pages/html/security.hbs | 91 ++++++++++++++++++++++++++++++++++++++--
1 file changed, 88 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/nifi-site/blob/0e115932/src/pages/html/security.hbs
----------------------------------------------------------------------
diff --git a/src/pages/html/security.hbs b/src/pages/html/security.hbs
index 455ee11..df24a61 100644
--- a/src/pages/html/security.hbs
+++ b/src/pages/html/security.hbs
@@ -47,6 +47,91 @@ title: Apache NiFi Security Reports
<div class="medium-space"></div>
<div class="row">
<div class="large-12 columns features">
+ <h2>Fixed in Apache NiFi 1.7.0</h2>
+ </div>
+</div>
+<div class="row" style="background-color: aliceblue">
+ <div class="large-12 columns">
+ <p><a id="CVE-2018-1324" href="#CVE-2018-1324"><strong>CVE-2018-1324</strong></a>: Apache NiFi Denial of service issue because of commons-compress vulnerability</p>
+ <p>Severity: <strong>Low</strong></p>
+ <p>Versions Affected:</p>
+ <ul>
+ <li>Apache NiFi 0.1.0 - 1.6.0</li>
+ </ul>
+ </p>
+ <p>Description: A vulnerability in the commons-compress library could cause denial of service. See <a href="https://commons.apache.org/proper/commons-compress/security-reports.html" target="_blank">commons-compress CVE-2018-1324 announcement</a> for more information. </p>
+ <p>Mitigation: The fix to upgrade the commons-compress library to 1.16.1 was applied on the Apache NiFi 1.7.0 release. Users running a prior 1.x release should upgrade to the appropriate release. <strong>This was <a href="#CVE-2018-1324-160">previously incorrectly reported</a> as being fixed in Apache NiFi 1.6.0</strong></p>
+ <p>Credit: This issue was discovered by Joe Witt. </p>
+ <p>CVE Link: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1324" target="_blank">Mitre Database: CVE-2018-1324</a></p>
+ <p>Released: June 25, 2018</p>
+ </div>
+</div>
+<div class="row">
+ <div class="large-12 columns">
+ <p><a id="CVE-2016-1000031" href="#CVE-2016-1000031"><strong>CVE-2016-1000031</strong></a>: Apache NiFi dependency vulnerability in commons-fileupload</p>
+ <p>Severity: <strong>Moderate</strong></p>
+ <p>Versions Affected:</p>
+ <ul>
+ <li>Apache NiFi 0.1.0 - 1.6.0</li>
+ </ul>
+ </p>
+ <p>Description: A vulnerability in the commons-fileupload library could cause remote code execution (RCE). See <a href="https://www.tenable.com/security/research/tra-2016-30" target="_blank">Tenable Research Advisory TRA-2016-30</a> for more information. </p>
+ <p>Mitigation: The fix to upgrade the commons-fileupload library to 1.3.3 was applied on the Apache NiFi 1.7.0 release. Users running a prior 1.x release should upgrade to the appropriate release. <em>Apache Commons project <a href="https://nvd.nist.gov/vuln/detail/CVE-2016-1000031" target="_blank">contests validity of this vulnerability</a> and proposes this is the responsibility of the consuming application. </em></p>
+ <p>Credit: This issue was discovered by Matt Gilman. </p>
+ <p>CVE Link: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000031" target="_blank">Mitre Database: CVE-2016-1000031</a></p>
+ <p>Released: June 25, 2018</p>
+ </div>
+</div>
+<div class="row" style="background-color: aliceblue">
+ <div class="large-12 columns">
+ <p><a id="CVE-2018-7489" href="#CVE-2018-7489"><strong>CVE-2018-7489</strong></a>, <a id="CVE-2017-7525" href="#CVE-2017-7525"><strong>CVE-2017-7525</strong></a>, and <a id="CVE-2017-15095" href="#CVE-2017-15095"><strong>CVE-2017-15095</strong></a>: Apache NiFi dependency vulnerability in FasterXML Jackson</p>
+ <p>Severity: <strong>Severe</strong></p>
+ <p>Versions Affected:</p>
+ <ul>
+ <li>Apache NiFi 0.1.0 - 1.6.0</li>
+ </ul>
+ </p>
+ <p>Description: A vulnerability in the FasterXML Jackson XML parsing library could allow unauthenticated remote code execution (RCE). See <a href="https://nvd.nist.gov/vuln/detail/CVE-2018-7489" target="_blank">NVD CVE-2018-7489</a> for more information. </p>
+ <p>Mitigation: The fix to upgrade the jackson-databind library to 2.9.5 was applied on the Apache NiFi 1.7.0 release. Users running a prior 1.x release should upgrade to the appropriate release. </p>
+ <p>Credit: This issue was discovered by Sivaprasanna Sethuraman. </p>
+ <p>CVE Link: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7489" target="_blank">Mitre Database: CVE-2018-7489</a>, <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7525" target="_blank">Mitre Database: CVE-2017-7525</a>, <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15095" target="_blank">Mitre Database: CVE-2017-15095</a></p>
+ <p>Released: June 25, 2018</p>
+ </div>
+</div>
+<div class="row">
+ <div class="large-12 columns">
+ <p><a id="angular:20171018" href="#angular:20171018"><strong>angular:20171018</strong></a> and <a id="angular:20180202" href="#angular:20180202"><strong>angular:20180202</strong></a>: Apache NiFi dependency XSS vulnerability in AngularJS</p>
+ <p>Severity: <strong>Moderate</strong></p>
+ <p>Versions Affected:</p>
+ <ul>
+ <li>Apache NiFi 0.1.0 - 1.6.0</li>
+ </ul>
+ </p>
+ <p>Description: A vulnerability in the AngularJS library could allow XSS. See <a href="https://snyk.io/vuln/npm:angular:20171018" target="_blank">Snyk npm:angular:20171018</a> and <a href="https://snyk.io/vuln/npm:angular:20180202" target="_blank">Snyk npm:angular:20180202</a> for more information. </p>
+ <p>Mitigation: The fix to upgrade the commons-compress library to 1.7.0 was applied on the Apache NiFi 1.7.0 release. Users running a prior 1.x release should upgrade to the appropriate release. </p>
+ <p>Credit: This issue was discovered by Prashanth V. </p>
+ <p>CVE Link: N/A</p>
+ <p>Released: June 25, 2018</p>
+ </div>
+</div>
+<div class="row" style="background-color: aliceblue">
+ <div class="large-12 columns">
+ <p><a id="NIFI-2018-009" href="#NIFI-2018-009"><strong>NIFI-2018-009</strong></a>: Apache NiFi proactive escaping of batch ingest JSON to Elasticsearch to prevent injection attack</p>
+ <p>Severity: <strong>Low</strong></p>
+ <p>Versions Affected:</p>
+ <ul>
+ <li>Apache NiFi 0.1.0 - 1.6.0</li>
+ </ul>
+ </p>
+ <p>Description: While no published attack exists, NiFi strengthened the security around the batch processing Elasticsearch ingest feature to prevent injection attacks. </p>
+ <p>Mitigation: The improved content escaping was applied on the Apache NiFi 1.7.0 release. Users running a prior 1.x release should upgrade to the appropriate release. </p>
+ <p>Credit: This issue was discovered by Jonathan Logan. </p>
+ <p>CVE Link: N/A</p>
+ <p>Released: June 25, 2018</p>
+ </div>
+</div>
+<div class="row">
+ <div class="large-12 columns features">
<h2>Fixed in Apache NiFi 1.6.0</h2>
</div>
</div>
@@ -100,18 +185,18 @@ title: Apache NiFi Security Reports
</div>
<div class="row" style="background-color: aliceblue">
<div class="large-12 columns">
- <p><a id="CVE-2018-1324" href="#CVE-2018-1324"><strong>CVE-2018-1324</strong></a>: Apache NiFi Denial of service issue because of commons-compress vulnerability</p>
+ <p><a id="CVE-2018-1324-160" href="#CVE-2018-1324-160"><strong><strike>CVE-2018-1324</strike></strong></a>: <strike>Apache NiFi Denial of service issue because of commons-compress vulnerability</strike> -- <em>This issue was <a href="#CVE-2018-1324">resolved in Apache NiFi 1.7.0</a></em></p>
<p>Severity: <strong>Low</strong></p>
<p>Versions Affected:</p>
<ul>
- <li>Apache NiFi 0.1.0 - 1.5.0</li>
+ <li><strike>Apache NiFi 0.1.0 - 1.5.0</strike></li>
</ul>
</p>
<p>Description: A vulnerability in the commons-compress library could cause denial of service. See <a href="https://commons.apache.org/proper/commons-compress/security-reports.html" target="_blank">commons-compress CVE-2018-1324 announcement</a> for more information. </p>
<p>Mitigation: The fix to upgrade the commons-compress library to 1.16.1 was applied on the Apache NiFi 1.6.0 release. Users running a prior 1.x release should upgrade to the appropriate release. </p>
<p>Credit: This issue was discovered by Joe Witt. </p>
<p>CVE Link: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1324" target="_blank">Mitre Database: CVE-2018-1324</a></p>
- <p>Released: April 8, 2018</p>
+ <p><strike>Released: April 8, 2018</strike></p>
</div>
</div>
<div class="medium-space"></div>
[2/2] nifi-site git commit: Added links to NiFi Jira and PR for 1.7.0
security fixes.
Posted by al...@apache.org.
Added links to NiFi Jira and PR for 1.7.0 security fixes.
Project: http://git-wip-us.apache.org/repos/asf/nifi-site/repo
Commit: http://git-wip-us.apache.org/repos/asf/nifi-site/commit/3eba5fa9
Tree: http://git-wip-us.apache.org/repos/asf/nifi-site/tree/3eba5fa9
Diff: http://git-wip-us.apache.org/repos/asf/nifi-site/diff/3eba5fa9
Branch: refs/heads/master
Commit: 3eba5fa9988fbd538c35e58d4066d1ed3881a214
Parents: 0e11593
Author: Andy LoPresto <al...@apache.org>
Authored: Tue Sep 4 14:32:12 2018 -0700
Committer: Andy LoPresto <al...@apache.org>
Committed: Tue Sep 4 14:32:12 2018 -0700
----------------------------------------------------------------------
src/pages/html/security.hbs | 10 ++++++++++
1 file changed, 10 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/nifi-site/blob/3eba5fa9/src/pages/html/security.hbs
----------------------------------------------------------------------
diff --git a/src/pages/html/security.hbs b/src/pages/html/security.hbs
index df24a61..61ceb77 100644
--- a/src/pages/html/security.hbs
+++ b/src/pages/html/security.hbs
@@ -63,6 +63,8 @@ title: Apache NiFi Security Reports
<p>Mitigation: The fix to upgrade the commons-compress library to 1.16.1 was applied on the Apache NiFi 1.7.0 release. Users running a prior 1.x release should upgrade to the appropriate release. <strong>This was <a href="#CVE-2018-1324-160">previously incorrectly reported</a> as being fixed in Apache NiFi 1.6.0</strong></p>
<p>Credit: This issue was discovered by Joe Witt. </p>
<p>CVE Link: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1324" target="_blank">Mitre Database: CVE-2018-1324</a></p>
+ <p>NiFi Jira: <a href="https://issues.apache.org/jira/browse/NIFI-5108" target="_blank">NIFI-5108</a></p>
+ <p>NiFi PR: <a href="https://github.com/apache/nifi/pull/2651" target="_blank">PR 2651</a></p>
<p>Released: June 25, 2018</p>
</div>
</div>
@@ -79,6 +81,8 @@ title: Apache NiFi Security Reports
<p>Mitigation: The fix to upgrade the commons-fileupload library to 1.3.3 was applied on the Apache NiFi 1.7.0 release. Users running a prior 1.x release should upgrade to the appropriate release. <em>Apache Commons project <a href="https://nvd.nist.gov/vuln/detail/CVE-2016-1000031" target="_blank">contests validity of this vulnerability</a> and proposes this is the responsibility of the consuming application. </em></p>
<p>Credit: This issue was discovered by Matt Gilman. </p>
<p>CVE Link: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000031" target="_blank">Mitre Database: CVE-2016-1000031</a></p>
+ <p>NiFi Jira: <a href="https://issues.apache.org/jira/browse/NIFI-5124" target="_blank">NIFI-5124</a></p>
+ <p>NiFi PR: <a href="https://github.com/apache/nifi/pull/2662" target="_blank">PR 2662</a></p>
<p>Released: June 25, 2018</p>
</div>
</div>
@@ -95,6 +99,8 @@ title: Apache NiFi Security Reports
<p>Mitigation: The fix to upgrade the jackson-databind library to 2.9.5 was applied on the Apache NiFi 1.7.0 release. Users running a prior 1.x release should upgrade to the appropriate release. </p>
<p>Credit: This issue was discovered by Sivaprasanna Sethuraman. </p>
<p>CVE Link: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7489" target="_blank">Mitre Database: CVE-2018-7489</a>, <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7525" target="_blank">Mitre Database: CVE-2017-7525</a>, <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15095" target="_blank">Mitre Database: CVE-2017-15095</a></p>
+ <p>NiFi Jira: <a href="https://issues.apache.org/jira/browse/NIFI-5286" target="_blank">NIFI-5286</a></p>
+ <p>NiFi PR: <a href="https://github.com/apache/nifi/pull/2775" target="_blank">PR 2775</a></p>
<p>Released: June 25, 2018</p>
</div>
</div>
@@ -111,6 +117,8 @@ title: Apache NiFi Security Reports
<p>Mitigation: The fix to upgrade the commons-compress library to 1.7.0 was applied on the Apache NiFi 1.7.0 release. Users running a prior 1.x release should upgrade to the appropriate release. </p>
<p>Credit: This issue was discovered by Prashanth V. </p>
<p>CVE Link: N/A</p>
+ <p>NiFi Jira: <a href="https://issues.apache.org/jira/browse/NIFI-5215" target="_blank">NIFI-5215</a></p>
+ <p>NiFi PR: <a href="https://github.com/apache/nifi/pull/2721" target="_blank">PR 2721</a></p>
<p>Released: June 25, 2018</p>
</div>
</div>
@@ -127,6 +135,8 @@ title: Apache NiFi Security Reports
<p>Mitigation: The improved content escaping was applied on the Apache NiFi 1.7.0 release. Users running a prior 1.x release should upgrade to the appropriate release. </p>
<p>Credit: This issue was discovered by Jonathan Logan. </p>
<p>CVE Link: N/A</p>
+ <p>NiFi Jira: <a href="https://issues.apache.org/jira/browse/NIFI-5266" target="_blank">NIFI-5266</a></p>
+ <p>NiFi PR: <a href="https://github.com/apache/nifi/pull/2760" target="_blank">PR 2760</a></p>
<p>Released: June 25, 2018</p>
</div>
</div>