You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by th...@apache.org on 2022/06/15 15:41:06 UTC
[nifi-site] branch main updated: NIFI-10113 - Fixed mitigation on NiFi security page.
This is an automated email from the ASF dual-hosted git repository.
thenatog pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi-site.git
The following commit(s) were added to refs/heads/main by this push:
new 9452fa7 NIFI-10113 - Fixed mitigation on NiFi security page.
9452fa7 is described below
commit 9452fa75f6247b1283fe70083442ff7f3538d8a8
Author: Nathan Gough <th...@gmail.com>
AuthorDate: Wed Jun 15 11:40:40 2022 -0400
NIFI-10113 - Fixed mitigation on NiFi security page.
---
src/pages/html/security.hbs | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/src/pages/html/security.hbs b/src/pages/html/security.hbs
index 5c3293c..fc419a6 100644
--- a/src/pages/html/security.hbs
+++ b/src/pages/html/security.hbs
@@ -68,15 +68,20 @@ title: Apache NiFi Security Reports
<div class="large-12 columns">
<p><a id="CVE-2022-33140" href="#CVE-2022-33140"><strong>CVE-2022-33140</strong></a>: Improper Neutralization of Command Elements in Shell User Group Provider</p>
<p>Severity: <strong>High</strong></p>
- <p>Products Affected: Apache NiFi, Apache NiFi Registry</p>
+ <p>Products Affected:</p>
+ <ul>
+ <li>Apache NiFi</li>
+ <li>Apache NiFi Registry</li>
+ </ul>
<p>Versions Affected:</p>
<ul>
- <li>This issue affects Apache NiFi 1.10.0 to 1.16.2 on Linux and macOS. This issue also affects Apache NiFi Registry 0.6.0 to 1.16.2 on Linux and macOS.</li>
+ <li>This issue affects Apache NiFi 1.10.0 to 1.16.2 on Linux and macOS.</li>
+ <li>This issue affects Apache NiFi Registry 0.6.0 to 1.16.2 on Linux and macOS.</li>
</ul>
</p>
<p>Description: The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not neutralize arguments for group resolution commands, allowing injection of operating system commands on Linux and macOS platforms.</p>
<p>The ShellUserGroupProvider is not included in the default configuration. Command injection requires ShellUserGroupProvider to be one of the enabled User Group Providers in the Authorizers configuration. Command injection also requires an authenticated user with elevated privileges. Apache NiFi requires an authenticated user with authorization to modify access policies to execute the command. Apache NiFi Registry requires an authenticated user with authorization to read user gr [...]
- <p>Mitigation: Upgrading to NiFi 1.16.1 disables Document Type Declarations in the default configuration for these processors, and disallows XML External Entity resolution in standard services.</p>
+ <p>Mitigation: NiFi and NiFi Registry version 1.16.3 has completely removed the shell commands from the ShellUserGroupProvider that received user arguments.</p>
<p>Credit: This issue was discovered by an anonymous reporter</p>
<p>CVE Link: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33140" target="_blank">Mitre Database CVE-2022-33140</a></p>
<p>NiFi Jira: <a href="https://issues.apache.org/jira/browse/NIFI-10114" target="_blank">NIFI-10114</a></p>