You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by "Mike R (Jira)" <ji...@apache.org> on 2022/03/31 19:05:00 UTC

[jira] [Created] (NIFI-9855) NiFi Can Delete Its Own Processors

Mike R created NIFI-9855:
----------------------------

             Summary: NiFi Can Delete Its Own Processors
                 Key: NIFI-9855
                 URL: https://issues.apache.org/jira/browse/NIFI-9855
             Project: Apache NiFi
          Issue Type: Bug
    Affects Versions: 1.15.3, 1.15.2, 1.16.0
         Environment: All Linux Distros
            Reporter: Mike R


Using the GetFile and PutFile processors, an attacker could overwrite the configuration files to the /dev/null. Using a regex of (.*?), an attacker could point the GetFile Processor to the directory which the NiFi configuration files are located in. If the attacker is able to login, they can send the files to /dev/null on Linux, which although it will cause a warning in the PutFile processor, it will still process.

This does not require that the attacker have access to the underlying system, but rather just NiFi itself.

The ways to prevent this from happening would be to prevent the GetFile Processor and other NiFi processors from being able to directly read files from the configuration directories in a way that deletes the existing files and another option would be to have processors prevented from overwriting configuration directory files.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)