You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by al...@apache.org on 2019/11/14 00:28:13 UTC
svn commit: r1869773 - /nifi/site/trunk/security.html
Author: alopresto
Date: Thu Nov 14 00:28:13 2019
New Revision: 1869773
URL: http://svn.apache.org/viewvc?rev=1869773&view=rev
Log:
Updated security page with 1.10.0 information.
Modified:
nifi/site/trunk/security.html
Modified: nifi/site/trunk/security.html
URL: http://svn.apache.org/viewvc/nifi/site/trunk/security.html?rev=1869773&r1=1869772&r2=1869773&view=diff
==============================================================================
--- nifi/site/trunk/security.html (original)
+++ nifi/site/trunk/security.html Thu Nov 14 00:28:13 2019
@@ -151,13 +151,167 @@
<div class="medium-space"></div>
<div class="row">
<div class="large-12 columns features">
+ <h2><a id="1.10.0" href="#1.10.0">Fixed in Apache NiFi 1.10.0</a></h2>
+ </div>
+</div>
+<!-- Vulnerabilities -->
+<div class="row">
+ <div class="large-12 columns features">
+ <h2><a id="1.10.0-vulnerabilities" href="#1.10.0-vulnerabilities">Vulnerabilities</a></h2>
+ </div>
+</div>
+<div class="row" style="background-color: aliceblue">
+ <div class="large-12 columns">
+ <p><a id="CVE-2019-10080" href="#CVE-2019-10080"><strong>CVE-2019-10080</strong></a>: Apache NiFi information disclosure by XXE</p>
+ <p>Severity: <strong>Low</strong></p>
+ <p>Versions Affected:</p>
+ <ul>
+ <li>Apache NiFi 1.3.0 - 1.9.2</li>
+ </ul>
+ </p>
+ <p>Description: The XMLFileLookupService allowed trusted users to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE) and reveal information such as the versions of Java, Jersey, and Apache that the NiFI instance uses. </p>
+ <p>Mitigation: A validator to ensure the XML file is not malicious was applied on the Apache NiFi 1.10.0 release. Users running a prior 1.x release should upgrade to the appropriate release. </p>
+ <p>Credit: This issue was discovered by RunningSnail. </p>
+ <p>CVE Link: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10080" target="_blank">Mitre Database: CVE-2019-10080</a></p>
+ <p>NiFi Jira: <a href="https://issues.apache.org/jira/browse/NIFI-6301" target="_blank">NIFI-6301</a></p>
+ <p>NiFi PR: <a href="https://github.com/apache/nifi/pull/3507" target="_blank">PR 3507</a></p>
+ <p>Released: November 4, 2019</p>
+ </div>
+</div>
+<div class="row">
+ <div class="large-12 columns">
+ <p><a id="CVE-2019-12421" href="#CVE-2019-12421"><strong>CVE-2019-12421</strong></a>: Apache NiFi user log out issue</p>
+ <p>Severity: <strong>Moderate</strong></p>
+ <p>Versions Affected:</p>
+ <ul>
+ <li>Apache NiFi 1.0.0 - 1.9.2</li>
+ </ul>
+ </p>
+ <p>Description: If NiFi uses an authentication mechanism other than PKI, when the user clicks Log Out, NiFi invalidates the authentication token on the client side but not on the server side. This permits the user's client-side token to be used for up to 12 hours after logging out to make API requests to NiFi. </p>
+ <p>Mitigation: The fix to invalidate the server-side authentication token immediately after the user clicks 'Log Out' was applied on the Apache NiFi 1.10.0 release. Users running a prior 1.x release should upgrade to the appropriate release. </p>
+ <p>Credit: This issue was discovered by Abdu Sahin. </p>
+ <p>CVE Link: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12421" target="_blank">Mitre Database: CVE-2019-12421</a></p>
+ <p>NiFi Jira: <a href="https://issues.apache.org/jira/browse/NIFI-6085" target="_blank">NIFI-6085</a></p>
+ <p>NiFi PR: <a href="https://github.com/apache/nifi/pull/3362" target="_blank">PR 3362</a></p>
+ <p>Released: November 4, 2019</p>
+ </div>
+</div>
+<div class="row" style="background-color: aliceblue">
+ <div class="large-12 columns">
+ <p><a id="CVE-2019-10083" href="#CVE-2019-10083"><strong>CVE-2019-10083</strong></a>: Apache NiFi process group information disclosure</p>
+ <p>Severity: <strong>Low</strong></p>
+ <p>Versions Affected:</p>
+ <ul>
+ <li>Apache NiFi 1.3.0 - 1.9.2</li>
+ </ul>
+ </p>
+ <p>Description: When updating a Process Group via the API, the response to the request includes all of its contents (at the top most level, not recursively). The response included details about processors and controller services which the user may not have had read access to. </p>
+ <p>Mitigation: Requests to update or remove the process group will no longer return the contents of the process group in the response in Apache NiFi 1.10.0. Users running a prior 1.x release should upgrade to the appropriate release. </p>
+ <p>Credit: This issue was discovered by Mark Payne. </p>
+ <p>CVE Link: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10083" target="_blank">Mitre Database: CVE-2019-100833</a></p>
+ <p>NiFi Jira: <a href="https://issues.apache.org/jira/browse/NIFI-6302" target="_blank">NIFI-6302</a></p>
+ <p>NiFi PR: <a href="https://github.com/apache/nifi/pull/3477" target="_blank">PR 3477</a>, <a href="https://github.com/apache/nifi/pull/3487" target="_blank">PR 3487</a></p>
+ <p>Released: November 4, 2019</p>
+ </div>
+</div>
+<!-- Dependency Vulnerabilities -->
+<div class="row">
+ <div class="large-12 columns features">
+ <h2><a id="1.10.0-dependency-vulnerabilities" href="#1.10.0-dependency-vulnerabilities">Dependency Vulnerabilities</a></h2>
+ </div>
+</div>
+<div class="row">
+ <div class="large-12 columns">
+ <p><a id="CVE-2017-5637" href="#CVE-2017-5637"><strong>CVE-2017-5637, CVE-2016-5017, CVE-2018-8012</strong></a>: Apache NiFi's Zookeeper usage</p>
+ <p>Severity: <strong>High</strong></p>
+ <p>Versions Affected:</p>
+ <ul>
+ <li>Apache NiFi 1.0.0 - 1.9.2</li>
+ </ul>
+ </p>
+ <p>Description: Various vulnerabilities existed within the Zookeeper dependency used by NiFi. See <a href="https://nvd.nist.gov/vuln/detail/CVE-2018-8012" target="_blank">NIST NVD CVE-2018-8012</a>, <a href="https://nvd.nist.gov/vuln/detail/CVE-2017-5637" target="_blank">NIST NVD CVE-2017-5637</a>, <a href="https://nvd.nist.gov/vuln/detail/CVE-2016-5017" target="_blank">NIST NVD CVE-2016-5017</a> for more information. </p>
+ <p>Mitigation: The fix to upgrade the Zookeeper dependency from 3.4.6 to 3.5.5 was applied on the Apache NiFi 1.10.0 release. Users running a prior 1.x release should upgrade to the appropriate release. </p>
+ <p>Credit: This issue was identified by Nathan Gough. </p>
+ <p>CVE Link: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8012" target="_blank">Mitre Database: CVE-2018-8012</a>, <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5637" target="_blank">Mitre Database: CVE-2017-5637</a>, <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5017" target="_blank">Mitre Database: CVE-2016-5017</a></p>
+ <p>NiFi Jira: <a href="https://issues.apache.org/jira/browse/NIFI-6578" target="_blank">NIFI-6578</a></p>
+ <p>NiFi PR: <a href="https://github.com/apache/nifi/pull/3715" target="_blank">PR 3715</a></p>
+ <p>Released: November 4, 2019</p>
+ </div>
+ <div class="large-12 columns" style="background-color: aliceblue">
+ <p><a id="CVE-2019-0193" href="#CVE-2019-0193"><strong>CVE-2019-0193, CVE-2019-0192, CVE-2017-3164</strong></a>: Apache NiFi's Solr usage</p>
+ <p>Severity: <strong>Critical</strong></p>
+ <p>Versions Affected:</p>
+ <ul>
+ <li>Apache NiFi 1.0.0 - 1.9.2</li>
+ </ul>
+ </p>
+ <p>Description: Various vulnerabilities existed within the Solr dependency used by NiFi. See <a href="https://nvd.nist.gov/vuln/detail/CVE-2019-0193" target="_blank">NIST NVD CVE-2019-0193</a>, <a href="https://nvd.nist.gov/vuln/detail/CVE-2019-0192" target="_blank">NIST NVD CVE-2019-0192</a>, <a href="https://nvd.nist.gov/vuln/detail/CVE-2017-3164" target="_blank">NIST NVD CVE-2017-3164</a> for more information. </p>
+ <p>Mitigation: The fix to upgrade the Solr dependency from 6.2.0 to 6.6.6 was applied on the Apache NiFi 1.10.0 release. Users running a prior 1.x release should upgrade to the appropriate release. </p>
+ <p>Credit: This issue was identified by Nathan Gough. </p>
+ <p>CVE Link: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0193" target="_blank">Mitre Database: CVE-2019-0193</a>, <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0192" target="_blank">Mitre Database: CVE-2019-0192</a>, <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3164" target="_blank">Mitre Database: CVE-2017-3164</a></p>
+ <p>NiFi Jira: <a href="https://issues.apache.org/jira/browse/NIFI-6516" target="_blank">NIFI-6516</a></p>
+ <p>NiFi PR: <a href="https://github.com/apache/nifi/pull/3629" target="_blank">PR 3629</a></p>
+ <p>Released: November 4, 2019</p>
+ </div>
+ <div class="large-12 columns">
+ <p><a id="CVE-2019-16335" href="#CVE-2019-16335"><strong>CVE-2019-16335, CVE-2019-14540, CVE-2019-14439, CVE-2019-12814, CVE-2019-12384, CVE-2019-12086, CVE-2018-1000873, CVE-2018-19362, CVE-2018-19361, CVE-2018-19360</strong></a>: Apache NiFi's Jackson Core Databind usage</p>
+ <p>Severity: <strong>Medium</strong></p>
+ <p>Versions Affected:</p>
+ <ul>
+ <li>Apache NiFi 1.0.0 - 1.9.2</li>
+ </ul>
+ </p>
+ <p>Description: Various vulnerabilities existed within the Jackson Core: Databind dependency used by NiFi. See <a href="https://nvd.nist.gov/vuln/detail/CVE-2019-16335" target="_blank">NIST NVD CVE-2019-16335</a>, <a href="https://nvd.nist.gov/vuln/detail/CVE-2019-14540" target="_blank">NIST NVD CVE-2019-14540</a>, <a href="https://nvd.nist.gov/vuln/detail/CVE-2019-14439" target="_blank">NIST NVD CVE-2019-14439</a>, <a href="https://nvd.nist.gov/vuln/detail/CVE-2019-12814" target="_blank">NIST NVD CVE-2019-12814</a>, <a href="https://nvd.nist.gov/vuln/detail/CVE-2019-12384" target="_blank">NIST NVD CVE-2019-12384</a>, <a href="https://nvd.nist.gov/vuln/detail/CVE-2019-12086" target="_blank">NIST NVD CVE-2019-12086</a>, <a href="https://nvd.nist.gov/vuln/detail/CVE-2018-1000873" target="_blank">NIST NVD CVE-2018-1000873</a>, <a href="https://nvd.nist.gov/vuln/detail/CVE-2018-19362" target="_blank">NIST NVD CVE-2018-19362</a>, <a href="https://nvd.nist.gov/vuln/detail/CVE-2018
-19361" target="_blank">NIST NVD CVE-2018-19361</a>, <a href="https://nvd.nist.gov/vuln/detail/CVE-2018-19360" target="_blank">NIST NVD CVE-2018-19360</a> for more information. </p>
+ <p>Mitigation: The fix to upgrade the jackson-databind dependency from 2.9.7 to 2.9.10 was applied on the Apache NiFi 1.10.0 release. Users running a prior 1.x release should upgrade to the appropriate release. </p>
+ <p>Credit: This issue was identified by Pierre Villard and Nathan Gough. </p>
+ <p>CVE Link: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16335" target="_blank">Mitre Database: CVE-2019-16335</a>, <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14540" target="_blank">Mitre Database: CVE-2019-14540</a>, <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14439" target="_blank">Mitre Database: CVE-2019-14439</a>, <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12814" target="_blank">Mitre Database: CVE-2019-12814</a>, <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12384" target="_blank">Mitre Database: CVE-2019-12384</a>, <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12086" target="_blank">Mitre Database: CVE-2019-12086</a>, <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000873" target="_blank">Mitre Database: CVE-2018-1000873</a>, <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19362" target="_blank">Mitre Database:
CVE-2018-19362</a>, <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19361" target="_blank">Mitre Database: CVE-2018-19361</a>, <a ref="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19360" target="_blank">Mitre Database: CVE-2018-19360</a></p>
+ <p>NiFi Jira: <a href="https://issues.apache.org/jira/browse/NIFI-6709" target="_blank">NIFI-6709</a></p>
+ <p>NiFi PR: <a href="https://github.com/apache/nifi/pull/3765" target="_blank">PR 3765</a></p>
+ <p>Released: November 4, 2019</p>
+ </div>
+ <div class="large-12 columns" style="background-color: aliceblue">
+ <p><a id="CVE-2019-10247" href="#CVE-2019-10247"><strong>CVE-2019-10247, CVE-2019-10246</strong></a>: Apache NiFi's Jetty usage</p>
+ <p>Severity: <strong>Medium</strong></p>
+ <p>Versions Affected:</p>
+ <ul>
+ <li>Apache NiFi 1.8.0 - 1.9.2</li>
+ </ul>
+ </p>
+ <p>Description: Various vulnerabilities existed within the Jetty dependency used by NiFi. See <a href="https://nvd.nist.gov/vuln/detail/CVE-2019-10247" target="_blank">NIST NVD CVE-2019-10247</a>, <a href="https://nvd.nist.gov/vuln/detail/CVE-2019-10246" target="_blank">NIST NVD CVE-2019-10246</a> for more information. </p>
+ <p>Mitigation: The fix to upgrade the Jetty dependency from 9.4.11.v20180605 to 9.4.19.v20190610 was applied on the Apache NiFi 1.10.0 release. Users running a prior 1.x release should upgrade to the appropriate release. </p>
+ <p>Credit: This issue was identified by Jeff Storck and Nathan Gough. </p>
+ <p>CVE Link: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10247" target="_blank">Mitre Database: CVE-2019-10247</a>, <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10246" target="_blank">Mitre Database: CVE-2019-10246</a></p>
+ <p>NiFi Jira: <a href="https://issues.apache.org/jira/browse/NIFI-6330" target="_blank">NIFI-6330</a></p>
+ <p>NiFi PR: <a href="https://github.com/apache/nifi/pull/3534" target="_blank">PR 3534</a></p>
+ <p>Released: November 4, 2019</p>
+ </div>
+ <div class="large-12 columns">
+ <p><a id="CVE-2019-11358" href="#CVE-2019-11358"><strong>CVE-2019-11358</strong></a>: Apache NiFi's JQuery usage</p>
+ <p>Severity: <strong>Medium</strong></p>
+ <p>Versions Affected:</p>
+ <ul>
+ <li>Apache NiFi 1.6.0 - 1.9.2</li>
+ </ul>
+ </p>
+ <p>Description: Various vulnerabilities existed within the JQuery dependency used by NiFi. See <a href="https://nvd.nist.gov/vuln/detail/CVE-2019-11358" target="_blank">NIST NVD CVE-2019-11358</a> for more information. </p>
+ <p>Mitigation: The fix to upgrade the JQuery dependency from 3.1.1 to 3.4.1 was applied on the Apache NiFi 1.10.0 release. Users running a prior 1.x release should upgrade to the appropriate release. </p>
+ <p>Credit: This issue was identified by Matt Gilman and Rob Fellows. </p>
+ <p>CVE Link: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358" target="_blank">Mitre Database: CVE-2019-11358</a></p>
+ <p>NiFi Jira: <a href="https://issues.apache.org/jira/browse/NIFI-6316" target="_blank">NIFI-6316</a></p>
+ <p>NiFi PR: <a href="https://github.com/apache/nifi/pull/3489" target="_blank">PR 3489</a></p>
+ <p>Released: November 4, 2019</p>
+ </div>
+</div>
+<div class="medium-space"></div>
+<div class="row">
+ <div class="large-12 columns features">
<h2><a id="1.8.0" href="#1.8.0">Fixed in Apache NiFi 1.8.0</a></h2>
</div>
</div>
<!-- Vulnerabilities -->
<div class="row">
<div class="large-12 columns features">
- <h3><a id="1.8.0-vulnerabilities" href="#1.8.0-vulnerabilities">Vulnerabilities</a></h2>
+ <h2><a id="1.8.0-vulnerabilities" href="#1.8.0-vulnerabilities">Vulnerabilities</a></h2>
</div>
</div>
<div class="row" style="background-color: aliceblue">
@@ -235,7 +389,7 @@
<!-- Dependency Vulnerabilities -->
<div class="row">
<div class="large-12 columns features">
- <h3><a id="1.8.0-dependency-vulnerabilities" href="#1.8.0-dependency-vulnerabilities">Dependency Vulnerabilities</a></h2>
+ <h2><a id="1.8.0-dependency-vulnerabilities" href="#1.8.0-dependency-vulnerabilities">Dependency Vulnerabilities</a></h2>
</div>
</div>
<div class="row" style="background-color: aliceblue">
@@ -259,7 +413,7 @@
<!-- Informational -->
<div class="row">
<div class="large-12 columns features">
- <h3><a id="1.8.0-informational" href="#1.8.0-informational">Informational</a></h2>
+ <h2><a id="1.8.0-informational" href="#1.8.0-informational">Informational</a></h2>
</div>
</div>
<div class="row" style="background-color: aliceblue">
@@ -298,6 +452,7 @@
<p>Released: October 26, 2018</p>
</div>
</div>
+<div class="medium-space"></div>
<div class="row">
<div class="large-12 columns features">
<h2><a id="1.7.0" href="#1.7.0">Fixed in Apache NiFi 1.7.0</a></h2>
@@ -393,6 +548,7 @@
<p>Released: June 25, 2018</p>
</div>
</div>
+<div class="medium-space"></div>
<div class="row">
<div class="large-12 columns features">
<h2><a id="1.6.0" href="#1.6.0">Fixed in Apache NiFi 1.6.0</a></h2>