You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by th...@apache.org on 2022/06/15 16:04:26 UTC

svn commit: r1901946 - /nifi/site/trunk/security.html

Author: thenatog
Date: Wed Jun 15 16:04:25 2022
New Revision: 1901946

URL: http://svn.apache.org/viewvc?rev=1901946&view=rev
Log:
NIFI-10113 - Fixed mitigation on NiFi security page.

Modified:
    nifi/site/trunk/security.html

Modified: nifi/site/trunk/security.html
URL: http://svn.apache.org/viewvc/nifi/site/trunk/security.html?rev=1901946&r1=1901945&r2=1901946&view=diff
==============================================================================
--- nifi/site/trunk/security.html (original)
+++ nifi/site/trunk/security.html Wed Jun 15 16:04:25 2022
@@ -174,15 +174,20 @@
     <div class="large-12 columns">
         <p><a id="CVE-2022-33140" href="#CVE-2022-33140"><strong>CVE-2022-33140</strong></a>: Improper Neutralization of Command Elements in Shell User Group Provider</p>
         <p>Severity: <strong>High</strong></p>
-        <p>Products Affected: Apache NiFi, Apache NiFi Registry</p>
+        <p>Products Affected:</p>
+        <ul>
+            <li>Apache NiFi</li>
+            <li>Apache NiFi Registry</li>
+        </ul>
         <p>Versions Affected:</p>
         <ul>
-            <li>This issue affects Apache NiFi 1.10.0 to 1.16.2 on Linux and macOS. This issue also affects Apache NiFi Registry 0.6.0 to 1.16.2 on Linux and macOS.</li>
+            <li>This issue affects Apache NiFi 1.10.0 to 1.16.2 on Linux and macOS.</li>
+            <li>This issue affects Apache NiFi Registry 0.6.0 to 1.16.2 on Linux and macOS.</li>
         </ul>
         </p>
         <p>Description: The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not neutralize arguments for group resolution commands, allowing injection of operating system commands on Linux and macOS platforms.</p>
         <p>The ShellUserGroupProvider is not included in the default configuration. Command injection requires ShellUserGroupProvider to be one of the enabled User Group Providers in the Authorizers configuration. Command injection also requires an authenticated user with elevated privileges. Apache NiFi requires an authenticated user with authorization to modify access policies to execute the command. Apache NiFi Registry requires an authenticated user with authorization to read user groups to execute the command.</p>
-        <p>Mitigation: Upgrading to NiFi 1.16.1 disables Document Type Declarations in the default configuration for these processors, and disallows XML External Entity resolution in standard services.</p>
+        <p>Mitigation: NiFi and NiFi Registry version 1.16.3 has completely removed the shell commands from the ShellUserGroupProvider that received user arguments.</p>
         <p>Credit: This issue was discovered by an anonymous reporter</p>
         <p>CVE Link: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33140" target="_blank">Mitre Database CVE-2022-33140</a></p>
         <p>NiFi Jira: <a href="https://issues.apache.org/jira/browse/NIFI-10114" target="_blank">NIFI-10114</a></p>