You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by al...@apache.org on 2020/09/30 22:24:14 UTC
svn commit: r1882168 - /nifi/site/trunk/security.html
Author: alopresto
Date: Wed Sep 30 22:24:14 2020
New Revision: 1882168
URL: http://svn.apache.org/viewvc?rev=1882168&view=rev
Log:
Announced 1.12.1 CVEs.
Modified:
nifi/site/trunk/security.html
Modified: nifi/site/trunk/security.html
URL: http://svn.apache.org/viewvc/nifi/site/trunk/security.html?rev=1882168&r1=1882167&r2=1882168&view=diff
==============================================================================
--- nifi/site/trunk/security.html (original)
+++ nifi/site/trunk/security.html Wed Sep 30 22:24:14 2020
@@ -157,6 +157,164 @@
</div>
</div>
<div class="medium-space"></div>
+<div class="row">
+ <div class="large-12 columns features">
+ <h2><a id="1.12.0" href="#1.12.0">Fixed in Apache NiFi 1.12.0</a></h2>
+ </div>
+</div>
+<!-- Vulnerabilities -->
+<div class="row">
+ <div class="large-12 columns features">
+ <h2><a id="1.12.0-vulnerabilities" href="#1.12.0-vulnerabilities">Vulnerabilities</a></h2>
+ </div>
+</div>
+<div class="row" style="background-color: aliceblue">
+ <div class="large-12 columns">
+ <p><a id="CVE-2020-9486" href="#CVE-2020-9486"><strong>CVE-2020-9486</strong></a>: Apache NiFi information disclosure in logs</p>
+ <p>Severity: <strong>Important</strong></p>
+ <p>Versions Affected:</p>
+ <ul>
+ <li>Apache NiFi 1.10.0 - 1.11.4</li>
+ </ul>
+ </p>
+ <p>Description: The NiFi stateless execution engine produced log output which included sensitive property values. When a flow was triggered, the flow definition configuration JSON was printed, potentially containing sensitive values in plaintext. </p>
+ <p>Mitigation: Implemented Argon2 secure hashing to provide a deterministic loggable value which does not reveal the sensitive value. Users running any previous NiFi release should upgrade to the latest release. </p>
+ <p>Credit: This issue was discovered by Andy LoPresto and Pierre Villard. </p>
+ <p>CVE Link: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9486" target="_blank">Mitre Database: CVE-2020-9486</a></p>
+ <p>NiFi Jira: <a href="https://issues.apache.org/jira/browse/NIFI-7377" target="_blank">NIFI-7377</a></p>
+ <p>NiFi PR: <a href="https://github.com/apache/nifi/pull/4222" target="_blank">PR 4222</a></p>
+ <p>Released: August 18, 2020</p>
+ </div>
+</div>
+<div class="row">
+ <div class="large-12 columns">
+ <p><a id="CVE-2020-9487" href="#CVE-2020-9487"><strong>CVE-2020-9487</strong></a>: Apache NiFi denial of service</p>
+ <p>Severity: <strong>Important</strong></p>
+ <p>Versions Affected:</p>
+ <ul>
+ <li>Apache NiFi 1.0.0 - 1.11.4</li>
+ </ul>
+ </p>
+ <p>Description: The NiFi download token (one-time password) mechanism used a fixed cache size and did not authenticate a request to create a download token, only when attempting to use the token to access the content. An unauthenticated user could repeatedly request download tokens, preventing legitimate users from requesting download tokens. </p>
+ <p>Mitigation: Disabled anonymous authentication, implemented a multi-indexed cache, and limited token creation requests to one concurrent request per user. Users running any previous NiFi release should upgrade to the latest release. </p>
+ <p>Credit: This issue was discovered by an anonymous community member. </p>
+ <p>CVE Link: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9487" target="_blank">Mitre Database: CVE-2020-9487</a></p>
+ <p>NiFi Jira: <a href="https://issues.apache.org/jira/browse/NIFI-7385" target="_blank">NIFI-7385</a></p>
+ <p>NiFi PR: <a href="https://github.com/apache/nifi/pull/4271" target="_blank">PR 4271</a></p>
+ <p>Released: August 18, 2020</p>
+ </div>
+</div>
+<div class="row" style="background-color: aliceblue">
+ <div class="large-12 columns">
+ <p><a id="CVE-2020-9491" href="#CVE-2020-9491"><strong>CVE-2020-9491</strong></a>: Apache NiFi use of weak TLS protocols</p>
+ <p>Severity: <strong>Critical</strong></p>
+ <p>Versions Affected:</p>
+ <ul>
+ <li>Apache NiFi 1.2.0 - 1.11.4</li>
+ </ul>
+ </p>
+ <p>Description: The NiFi UI and API were protected by mandating TLS v1.2, as well as listening connections established by processors like <code>ListenHTTP</code>, <code>HandleHttpRequest</code>, etc. However intracluster communication such as cluster request replication, Site-to-Site, and load balanced queues continued to support TLS v1.0 or v1.1. </p>
+ <p>Mitigation: Refactored disparate internal SSL and TLS code, reducing exposure for extension and framework developers to low-level primitives. Added support for TLS v1.3 on supporting JVMs. Restricted all incoming TLS communications to TLS v1.2+. Users running any previous NiFi release should upgrade to the latest release. </p>
+ <p>Credit: This issue was discovered by Juan Carlos Sequeiros and Andy LoPresto. </p>
+ <p>CVE Link: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9491" target="_blank">Mitre Database: CVE-2020-9491</a></p>
+ <p>NiFi Jira: <a href="https://issues.apache.org/jira/browse/NIFI-7401" target="_blank">NIFI-7401</a></p>
+ <p>NiFi PR: <a href="https://github.com/apache/nifi/pull/4263" target="_blank">PR 4263</a></p>
+ <p>Released: August 18, 2020</p>
+ </div>
+</div>
+<div class="row">
+ <div class="large-12 columns">
+ <p><a id="CVE-2020-13940" href="#CVE-2020-13940"><strong>CVE-2020-13940</strong></a>: Apache NiFi information disclosure by XXE</p>
+ <p>Severity: <strong>Low</strong></p>
+ <p>Versions Affected:</p>
+ <ul>
+ <li>Apache NiFi 1.0.0 - 1.11.4</li>
+ </ul>
+ </p>
+ <p>Description: The notification service manager and various policy authorizer and user group provider objects allowed trusted administrators to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE). </p>
+ <p>Mitigation: An XML validator was introduced to prevent malicious code from being parsed and executed. Users running any previous NiFi release should upgrade to the latest release. </p>
+ <p>Credit: This issue was discovered by Matt Burgess and Andy LoPresto. </p>
+ <p>CVE Link: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13940" target="_blank">Mitre Database: CVE-2020-13940</a></p>
+ <p>NiFi Jira: <a href="https://issues.apache.org/jira/browse/NIFI-7680" target="_blank">NIFI-7680</a></p>
+ <p>NiFi PR: <a href="https://github.com/apache/nifi/pull/4436" target="_blank">PR 4436</a></p>
+ <p>Released: August 18, 2020</p>
+ </div>
+</div>
+<!-- Dependency Vulnerabilities -->
+<div class="row">
+ <div class="large-12 columns features">
+ <h2><a id="1.12.0-dependency-vulnerabilities" href="#1.12.0-dependency-vulnerabilities">Dependency Vulnerabilities</a></h2>
+ </div>
+</div>
+<div class="row" style="background-color: aliceblue">
+ <div class="large-12 columns">
+ <p><a id="CVE-2019-9658" href="#CVE-2019-9658"><strong>CVE-2019-9658</strong></a>: Apache NiFi's checkstyle usage</p>
+ <p>Severity: <strong>Low</strong></p>
+ <p>Versions Affected:</p>
+ <ul>
+ <li>Apache NiFi 1.8.0 - 1.11.4</li>
+ </ul>
+ </p>
+ <p>Description: The com.puppycrawl.tools:checkstyle dependency had a XXE vulnerability. See <a href="https://nvd.nist.gov/vuln/detail/CVE-2019-9658" target="_blank">NIST NVD CVE-2019-9658</a> for more information. </p>
+ <p>Mitigation: checkstyle was upgraded from 8.28 to 8.29 for the Apache NiFi 1.12.0 release. </p>
+ <p>CVE Link: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9658" target="_blank">Mitre Database: CVE-2019-9658</a></p>
+ <p>NiFi Jira: <a href="https://issues.apache.org/jira/browse/NIFI-7108" target="_blank">NIFI-7108</a></p>
+ <p>NiFi PR: <a href="https://github.com/apache/nifi/pull/4041" target="_blank">PR 4041</a></p>
+ <p>Released: August 18, 2020</p>
+ </div>
+</div>
+<div class="row">
+ <div class="large-12 columns">
+ <p><a id="CVE-2019-12086" href="#CVE-2019-12086"><strong>CVE-2019-12086</strong></a>: Apache NiFi's jackson-databind usage</p>
+ <p>Severity: <strong>Low</strong></p>
+ <p>Versions Affected:</p>
+ <ul>
+ <li>Apache NiFi 1.8.0 - 1.11.4</li>
+ </ul>
+ </p>
+ <p>Description: The com.fasterxml.jackson.core:jackson-databind dependency had a polymorphic typing vulnerability which exposed some MySQL server access to an attacker. See <a href="https://nvd.nist.gov/vuln/detail/CVE-2019-12086" target="_blank">NIST NVD CVE-2019-12086</a> for more information. </p>
+ <p>Mitigation: jackson-databind was upgraded from 2.9.10.1 to 2.9.10.5 for the Apache NiFi 1.12.0 release. </p>
+ <p>CVE Link: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12086" target="_blank">Mitre Database: CVE-2019-12086</a></p>
+ <p>NiFi Jira: <a href="https://issues.apache.org/jira/browse/NIFI-7542" target="_blank">NIFI-7542</a></p>
+ <p>NiFi PR: <a href="https://github.com/apache/nifi/pull/4362" target="_blank">PR 4362</a></p>
+ <p>Released: August 18, 2020</p>
+ </div>
+</div>
+<div class="row" style="background-color: aliceblue">
+ <div class="large-12 columns">
+ <p><a id="CVE-2020-7676" href="#CVE-2020-7676"><strong>CVE-2020-7676</strong></a>: Apache NiFi's angular.js usage</p>
+ <p>Severity: <strong>Low</strong></p>
+ <p>Versions Affected:</p>
+ <ul>
+ <li>Apache NiFi 1.8.0 - 1.11.4</li>
+ </ul>
+ </p>
+ <p>Description: The angular.js dependency had an XSS vulnerability. See <a href="https://nvd.nist.gov/vuln/detail/CVE-2020-7676" target="_blank">NIST NVD CVE-2020-7676-9658</a> for more information. </p>
+ <p>Mitigation: angular.js was upgraded from 1.7.9 to 1.8.0 for the Apache NiFi 1.12.0 release. </p>
+ <p>CVE Link: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7676" target="_blank">Mitre Database: CVE-2020-7676</a></p>
+ <p>NiFi Jira: <a href="https://issues.apache.org/jira/browse/NIFI-7577" target="_blank">NIFI-7577</a></p>
+ <p>NiFi PR: <a href="https://github.com/apache/nifi/pull/4357" target="_blank">PR 4357</a></p>
+ <p>Released: August 18, 2020</p>
+ </div>
+</div>
+<div class="row">
+ <div class="large-12 columns">
+ <p><a id="CVE-2020-11023" href="#CVE-2020-11023"><strong>CVE-2020-11023</strong></a>: Apache NiFi's jquery usage</p>
+ <p>Severity: <strong>Low</strong></p>
+ <p>Versions Affected:</p>
+ <ul>
+ <li>Apache NiFi 1.8.0 - 1.11.4</li>
+ </ul>
+ </p>
+ <p>Description: The jquery dependency had an XSS vulnerability. See <a href="https://nvd.nist.gov/vuln/detail/CVE-2020-11023" target="_blank">NIST NVD CVE-2020-11023</a> for more information. </p>
+ <p>Mitigation: jquery was upgraded from 3.4.1 to 3.5.1 for the Apache NiFi 1.12.0 release. </p>
+ <p>CVE Link: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023" target="_blank">Mitre Database: CVE-2020-11023</a></p>
+ <p>NiFi Jira: <a href="https://issues.apache.org/jira/browse/NIFI-7423" target="_blank">NIFI-7423</a></p>
+ <p>NiFi PR: <a href="https://github.com/apache/nifi/pull/4258" target="_blank">PR 4258</a></p>
+ <p>Released: August 18, 2020</p>
+ </div>
+</div>
+<div class="medium-space"></div>
<div class="row">
<div class="large-12 columns features">
<h2><a id="1.11.4" href="#1.11.4">Fixed in Apache NiFi 1.11.4</a></h2>