You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@nifi.apache.org by "Ganesh, B (Nokia - IN/Bangalore)" <b....@nokia.com> on 2021/12/13 05:08:10 UTC

Nifi 1.14 vulnerabilities critical

Hi ,
 As part of upgrade from nifi-1.13.2 to nifi-1.14.0  we performed scans on nifi 1.14.0 and as a result there are few critical and high vulnerabilities .
Critical vulnerabilities
Vulnerability Id
Severity
path
Fix available
Link
CVE-2017-7657
Critical
/opt/nifi/lib/jetty-schemas-3.1.jar
None
NVD - CVE-2017-7657 (nist.gov)<https://nvd.nist.gov/vuln/detail/CVE-2017-7657>
CVE-2017-7658
Critical
/opt/nifi/lib/jetty-schemas-3.1.jar
None
https://nvd.nist.gov/vuln/detail/CVE-2017-7658
CVE-2019-12415
Critical
/opt/nifi/lib/nifi-nar-utils-1.14.0.jar
None
https://anchore.int.net.nokia.com:443/v1/query/vulnerabilities?id=VULNDB-216029

High Vulnerabilities

Vulnerability Id
Severity
path
Fix available
Link
CVE-2017-7656
High
/opt/nifi/lib/jetty-schemas-3.1.jar
None
https://nvd.nist.gov/vuln/detail/CVE-2009-5045
CVE-2017-9735
High
/opt/nifi/lib/jetty-schemas-3.1.jar
None
https://nvd.nist.gov/vuln/detail/CVE-2017-9735
CVE-2020-27216
High
/opt/nifi/lib/jetty-schemas-3.1.jar
None
https://nvd.nist.gov/vuln/detail/CVE-2020-27216
VULNDB-256815
High
/opt/nifi-toolkit/lib/commons-compress-1.20.jar
None
https://repo1.dso.mil/dsop/opensource/apache/nifi/-/issues/13
VULNDB-257084
High
/opt/nifi-toolkit/lib/commons-compress-1.20.jar
None
https://repo1.dso.mil/dsop/opensource/apache/nifi/-/issues/13


One or two vulnerabilities are fixed in 1.15 example CVE-2020-17521 : https://issues.apache.org/jira/browse/NIFI-8990.

Could you please help us the impact and fix version or possibility of fixing in 1.14 it self ?

Thanks & Regards,
Ganesh.B

Re: Nifi 1.14 vulnerabilities critical

Posted by Joe Witt <jo...@gmail.com>.

Ganesh

You and/or another person in your email were replied to already on the
proper alias which is the security alias.

In any event since we are now also here we will share the same message

Me: We regularly perform such scans as well.  If we confirm we use a
vulnerable library in a way that exposes the vulnerability we act quickly
to resolve.  We generally do not backport to older lines and instead
continually improve the release going forward.  The current release is 1.15
and we are working on 1.16.

Apache Security/Mark: Outdated dependencies are not always security
issues.  A project would only be affected if a dependency was used in such
a way that the affected underlying code is used and the vulnerabilities
were exposed.  We typically get reports sent to us from scanning tools that
looks at dependencies out of context on how they are actually used in the
projects.  As such we reject these reports and suggest you either a) show
how the product is affected by the dependency vulnerabilities, or b) simply
mention this as a normal bug report to that project.  Since dependency
vulnerabilities are quite public, there is no need to use this private
reporting mechanism for them.

Thanks

On Sun, Dec 12, 2021 at 10:08 PM Ganesh, B (Nokia - IN/Bangalore) <
b.ganesh@nokia.com> wrote:

> Hi ,
>
>  As part of upgrade from nifi-1.13.2 to nifi-1.14.0  we performed scans on
> nifi 1.14.0 and as a result there are few critical and high vulnerabilities
> .
>
> Critical vulnerabilities
>
> *Vulnerability Id*
>
> *Severity *
>
> *path*
>
> *Fix available  *
>
> *Link *
>
> CVE-2017-7657
>
> Critical
>
> /opt/nifi/lib/jetty-schemas-3.1.jar
>
> None
>
> NVD - CVE-2017-7657 (nist.gov)
> <https://nvd.nist.gov/vuln/detail/CVE-2017-7657>
>
> CVE-2017-7658
>
> Critical
>
> /opt/nifi/lib/jetty-schemas-3.1.jar
>
> None
>
> https://nvd.nist.gov/vuln/detail/CVE-2017-7658
>
> CVE-2019-12415
>
> Critical
>
> /opt/nifi/lib/nifi-nar-utils-1.14.0.jar
>
> None
>
>
> https://anchore.int.net.nokia.com:443/v1/query/vulnerabilities?id=VULNDB-216029
>
>
>
> High Vulnerabilities
>
>
>
> *Vulnerability Id*
>
> *Severity *
>
> *path*
>
> *Fix available  *
>
> *Link *
>
> CVE-2017-7656
>
> High
>
> /opt/nifi/lib/jetty-schemas-3.1.jar
>
> None
>
> https://nvd.nist.gov/vuln/detail/CVE-2009-5045
>
> CVE-2017-9735
>
> High
>
> /opt/nifi/lib/jetty-schemas-3.1.jar
>
> None
>
> https://nvd.nist.gov/vuln/detail/CVE-2017-9735
>
> CVE-2020-27216
>
> High
>
> /opt/nifi/lib/jetty-schemas-3.1.jar
>
> None
>
> https://nvd.nist.gov/vuln/detail/CVE-2020-27216
>
> VULNDB-256815
>
> High
>
> /opt/nifi-toolkit/lib/commons-compress-1.20.jar
>
> None
>
> https://repo1.dso.mil/dsop/opensource/apache/nifi/-/issues/13
>
> VULNDB-257084
>
> High
>
> /opt/nifi-toolkit/lib/commons-compress-1.20.jar
>
> None
>
> https://repo1.dso.mil/dsop/opensource/apache/nifi/-/issues/13
>
>
>
>
>
> One or two vulnerabilities are fixed in 1.15 example CVE-2020-17521 :
> https://issues.apache.org/jira/browse/NIFI-8990.
>
>
>
> Could you please help us the impact and fix version or possibility of
> fixing in 1.14 it self ?
>
>
>
> Thanks & Regards,
>
> Ganesh.B
>
>
>