You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by al...@apache.org on 2020/04/21 17:44:27 UTC
[nifi-site] branch master updated (c9b9250 -> e607ee7)
This is an automated email from the ASF dual-hosted git repository.
alopresto pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/nifi-site.git.
from c9b9250 Added NiFi Registry 0.6.0 download links.
new 3bf66c7 NIFIREG-371 - Adding the NiFi Registry security/CVE documentation page and release information for NiFi Registry 0.6.0 release.
new bb04a0c Updated heading in NiFi security page.
new e607ee7 Fixed HackerOne URL in security page.
The 3 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
src/includes/topbar.hbs | 3 +-
src/pages/html/registry-security.hbs | 167 +++++++++++++++++++++++++++++++++++
src/pages/html/security.hbs | 4 +-
3 files changed, 171 insertions(+), 3 deletions(-)
create mode 100644 src/pages/html/registry-security.hbs
[nifi-site] 02/03: Updated heading in NiFi security page.
Posted by al...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
alopresto pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/nifi-site.git
commit bb04a0cdc58da95fea6fdae26c4b05f207d286f6
Author: Nathan Gough <th...@gmail.com>
AuthorDate: Tue Apr 21 12:00:42 2020 -0400
Updated heading in NiFi security page.
---
src/pages/html/security.hbs | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/pages/html/security.hbs b/src/pages/html/security.hbs
index a2f4217..e98d116 100644
--- a/src/pages/html/security.hbs
+++ b/src/pages/html/security.hbs
@@ -7,7 +7,7 @@ title: Apache NiFi Security Reports
<div class="medium-space"></div>
<div class="row">
<div class="large-12 columns features">
- <h2>Security Vulnerability Disclosure</h2>
+ <h2>NiFi Security Vulnerability Disclosure</h2>
</div>
</div>
<div class="row">
[nifi-site] 01/03: NIFIREG-371 - Adding the NiFi Registry
security/CVE documentation page and release information for NiFi Registry
0.6.0 release.
Posted by al...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
alopresto pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/nifi-site.git
commit 3bf66c72624e24b116150dabd76752f55b2a3a34
Author: Nathan Gough <th...@gmail.com>
AuthorDate: Tue Apr 21 11:37:17 2020 -0400
NIFIREG-371 - Adding the NiFi Registry security/CVE documentation page and release information for NiFi Registry 0.6.0 release.
---
src/includes/topbar.hbs | 3 +-
src/pages/html/registry-security.hbs | 167 +++++++++++++++++++++++++++++++++++
2 files changed, 169 insertions(+), 1 deletion(-)
diff --git a/src/includes/topbar.hbs b/src/includes/topbar.hbs
index 8a20972..7342922 100644
--- a/src/includes/topbar.hbs
+++ b/src/includes/topbar.hbs
@@ -30,7 +30,8 @@
<li><a href="videos.html">Videos</a></li>
<li><a href="docs.html">NiFi Docs</a></li>
<li><a href="https://cwiki.apache.org/confluence/display/NIFI"><i class="fa fa-external-link external-link"></i>Wiki</a></li>
- <li><a href="security.html">Security Reports</a></li>
+ <li><a href="security.html">NiFi Security Reports</a></li>
+ <li><a href="registry-security.html">NiFi Registry Security Reports</a></li>
</ul>
</li>
<li class="has-dropdown">
diff --git a/src/pages/html/registry-security.hbs b/src/pages/html/registry-security.hbs
new file mode 100644
index 0000000..842697f
--- /dev/null
+++ b/src/pages/html/registry-security.hbs
@@ -0,0 +1,167 @@
+---
+title: Apache NiFi Registry Security Reports
+---
+
+<div class="large-space"></div>
+</div>
+<div class="medium-space"></div>
+<div class="row">
+ <div class="large-12 columns features">
+ <h2>NiFi Registry Security Vulnerability Disclosure</h2>
+ </div>
+</div>
+<div class="row">
+ <div class="large-12 columns">
+ <p>Apache NiFi Registry welcomes the responsible reporting of security vulnerabilities. The NiFi Registry team believes that working with skilled security researchers across the globe is crucial in identifying
+ weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will work with you to resolve the issue
+ promptly.</p>
+ <h3>Disclosure Policy</h3>
+ <ul>
+ <li>Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.</li>
+ <li>Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.</li>
+ <li>Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit
+ permission of the account holder.
+ </li>
+ </ul>
+ <h3>Exclusions</h3>
+ <p>While researching, we'd like to ask you to refrain from:</p>
+ <ul>
+ <li>Denial of service</li>
+ <li>Spamming</li>
+ <li>Social engineering (including phishing) of Apache NiFi and NiFi Registry staff or contractors</li>
+ <li>Any physical attempts against Apache NiFi or NiFi Registry property or data centers</li>
+ </ul>
+ <h3>Reporting Methods</h3>
+ <p>NiFi Registry receives vulnerability reports through the Apache NiFi team via the following means:</p>
+ <ul>
+ <li>Send an email to <a href="mailto:security@nifi.apache.org">security@nifi.apache.org</a>. This is a private list monitored by the <a href="people.html">PMC</a>. For sensitive
+ disclosures, the GPG key fingerprint is <strong>1230 3BB8 1F22 E11C 8725 926A AFF2 B368 23B9 44E9</strong>.
+ </li>
+ </ul>
+ <p>Thank you for helping keep Apache NiFi Registry and our users safe!</p>
+ </div>
+</div>
+<div class="medium-space"></div>
+<div class="row">
+ <div class="large-12 columns features">
+ <h2><a id="0.6.0" href="#0.6.0">Fixed in Apache NiFi Registry 0.6.0</a></h2>
+ </div>
+</div>
+<!-- Vulnerabilities -->
+<div class="row">
+ <div class="large-12 columns features">
+ <h2><a id="0.6.0-vulnerabilities" href="#0.6.0-vulnerabilities">Vulnerabilities</a></h2>
+ </div>
+</div>
+<div class="row">
+ <div class="large-12 columns">
+ <p><a id="CVE-2020-9482" href="#CVE-2020-9482"><strong>CVE-2020-9482</strong></a>: Apache NiFi Registry user log out issue</p>
+ <p>Severity: <strong>Moderate</strong></p>
+ <p>Versions Affected:</p>
+ <ul>
+ <li>Apache NiFi Registry 0.1.0 - 0.5.0</li>
+ </ul>
+ </p>
+ <p>Description: If NiFi Registry uses an authentication mechanism other than PKI, when the user clicks Log Out, NiFi Registry invalidates the authentication token on the client side but not on the server side. This permits the user's client-side token to be used for up to 12 hours after logging out to make API requests to NiFi Registry. </p>
+ <p>Mitigation: The fix to invalidate the server-side authentication token immediately after the user clicks 'Log Out' was applied in the Apache NiFi Registry 0.6.0 release. </p>
+ <p>CVE Link: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9482" target="_blank">Mitre Database: CVE-2020-9482</a></p>
+ <p>NiFi Registry Jira: <a href="https://issues.apache.org/jira/browse/NIFIREG-387" target="_blank">NIFIREG-387</a></p>
+ <p>NiFi Registry PR: <a href="https://github.com/apache/nifi-registry/pull/277" target="_blank">PR 277</a></p>
+ <p>Released: April 7, 2020</p>
+ </div>
+</div>
+<!-- Dependency Vulnerabilities -->
+<div class="row">
+ <div class="large-12 columns features">
+ <h2><a id="0.6.0-dependency-vulnerabilities" href="#0.6.0-dependency-vulnerabilities">Dependency Vulnerabilities</a></h2>
+ </div>
+</div>
+<div class="row" style="background-color: aliceblue">
+ <div class="large-12 columns">
+ <p><a id="CVE-2019-14540" href="#CVE-2019-14540"><strong>CVE-2019-14540</strong></a>: Apache NiFi Registry's jackson-databind usage</p>
+ <p>Severity: <strong>Critical</strong></p>
+ <p>Versions Affected:</p>
+ <ul>
+ <li>Apache NiFi Registry 0.5.0 - 0.5.0</li>
+ </ul>
+ </p>
+ <p>Description: The com.fasterxml.jackson.core:jackson-databind dependency in the nifi-registry-framework was vulnerable. See <a href="https://nvd.nist.gov/vuln/detail/CVE-2019-14540" target="_blank">NIST NVD CVE-2019-14540</a> for more information. </p>
+ <p>Mitigation: jackson-databind was upgraded from 2.9.9.1 to 2.10.3 for the Apache NiFi Registry 0.6.0 release. It is unlikely that NiFi Registry's usage of this dependency could be exploited as described by the CVE, however we consider it prudent for users running a prior 0.x release to upgrade to the 0.6.0 release. </p>
+ <p>CVE Link: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14540" target="_blank">Mitre Database: CVE-2019-14540</a></p>
+ <p>NiFi Registry Jira: <a href="https://issues.apache.org/jira/browse/NIFIREG-376" target="_blank">NIFIREG-376</a></p>
+ <p>NiFi Registry PR: <a href="https://github.com/apache/nifi-registry/pull/271" target="_blank">PR 271</a></p>
+ <p>Released: April 7, 2020</p>
+ </div>
+</div>
+<div class="row">
+ <div class="large-12 columns">
+ <p><a id="CVE-2019-10782" href="#CVE-2019-10782"><strong>CVE-2019-10782</strong></a>: Apache NiFi's Registry's checkstyle usage</p>
+ <p>Severity: <strong>Moderate</strong></p>
+ <p>Versions Affected:</p>
+ <ul>
+ <li>Apache NiFi Registry 0.1.0 - 0.5.0</li>
+ </ul>
+ </p>
+ <p>Description: The com.puppycrawl.tools:checkstyle dependency was vulnerable. See <a href="https://nvd.nist.gov/vuln/detail/CVE-2019-10782" target="_blank">NIST NVD CVE-2019-10782</a> for more information. </p>
+ <p>Mitigation: The checkstyle dependency was upgraded from 8.21 to 8.31 for the Apache NiFi Registry 0.6.0 release. It is unlikely that NiFi Registry's usage of this dependency could be exploited as described by the CVE, however we consider it prudent for users running a prior 0.x release to upgrade to the 0.6.0 release. </p>
+ <p>CVE Link: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10782" target="_blank">Mitre Database: CVE-2019-10782</a></p>
+ <p>NiFi Registry Jira: <a href="https://issues.apache.org/jira/browse/NIFIREG-364" target="_blank">NIFIREG-364</a></p>
+ <p>NiFi Registry PR: <a href="https://github.com/apache/nifi-registry/pull/270" target="_blank">PR 270</a></p>
+ <p>Released: April 7, 2020</p>
+ </div>
+</div>
+<div class="row" style="background-color: aliceblue">
+ <div class="large-12 columns">
+ <p><a id="CVE-2018-10054" href="#CCVE-2018-10054"><strong>CVE-2018-10054</strong></a>: Apache NiFi's Registry h2 database usage</p>
+ <p>Severity: <strong>Important</strong></p>
+ <p>Versions Affected:</p>
+ <ul>
+ <li>Apache NiFi Registry 0.5.0 - 0.5.0</li>
+ </ul>
+ </p>
+ <p>Description: The com.h2database:h2 dependency in the nifi-registry-framework module was vulnerable. See <a href="https://nvd.nist.gov/vuln/detail/CVE-2018-10054" target="_blank">NIST NVD CVE-2018-10054</a> for more information. </p>
+ <p>Mitigation: The h2 database dependency was upgraded from 1.4.197 to 1.4.199 for the Apache NiFi Registry 0.6.0 release. It is unlikely that NiFi Registry's usage of this dependency could be exploited as described by the CVE, however we consider it prudent for users running a prior 0.x release to upgrade to the 0.6.0 release. </p>
+ <p>CVE Link: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10054" target="_blank">Mitre Database: CVE-2018-10054</a></p>
+ <p>NiFi Registry Jira: <a href="https://issues.apache.org/jira/browse/NIFIREG-372" target="_blank">NIFIREG-372</a></p>
+ <p>NiFi Registry PR: <a href="https://github.com/apache/nifi-registry/pull/267" target="_blank">PR 267</a></p>
+ <p>Released: April 7, 2020</p>
+ </div>
+</div>
+<div class="medium-space"></div>
+<div class="row">
+ <div class="large-12 columns features">
+ <h2>Severity Levels</h2>
+ </div>
+</div>
+<div class="row">
+ <p class="description">The following lists the severity levels and criteria followed. It closely aligns to and borrows from Apache HTTP Server Project <a
+ href="https://httpd.apache.org/security/impact_levels.html">guidance.</a></p>
+ <div class="large-12 columns">
+ <table>
+ <tr>
+ <td>Critical</td>
+ <td>A vulnerability rated with a critical impact is one which could be potentially exploited by a remote attacker to get NiFi Registry to execute arbitrary code either as the user the server is
+ running as or root. These are the sorts of vulnerabilities that could be exploited automatically by worms.
+ </td>
+ </tr>
+ <tr>
+ <td>Important</td>
+ <td>A vulnerability rated as Important impact is one which could result in the compromise of data or availability of the server. For Apache NiFi Registry this includes issues that allow an easy
+ remote denial of service or access to files that should be otherwise prevented by limits or authentication.
+ </td>
+ </tr>
+ <tr>
+ <td>Moderate</td>
+ <td>A vulnerability is likely to be rated as Moderate if there is significant mitigation to make the issue less of an impact. This might be done because the flaw does not affect likely
+ configurations, or it is a configuration that isn't widely used, or where a remote user must be authenticated in order to exploit the issue.
+ </td>
+ </tr>
+ <tr>
+ <td>Low</td>
+ <td>All other security flaws are classed as a Low impact. This rating is used for issues that are believed to be extremely hard to exploit, or where an exploit gives minimal
+ consequences.
+ </td>
+ </tr>
+ </table>
+ </div>
+</div>
[nifi-site] 03/03: Fixed HackerOne URL in security page.
Posted by al...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
alopresto pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/nifi-site.git
commit e607ee74465c0d66fdc64609bbbcfe6affd34c0d
Author: Andy LoPresto <al...@apache.org>
AuthorDate: Tue Apr 21 10:44:15 2020 -0700
Fixed HackerOne URL in security page.
---
src/pages/html/security.hbs | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/pages/html/security.hbs b/src/pages/html/security.hbs
index e98d116..21c010f 100644
--- a/src/pages/html/security.hbs
+++ b/src/pages/html/security.hbs
@@ -37,7 +37,7 @@ title: Apache NiFi Security Reports
<li>Send an email to <a href="mailto:security@nifi.apache.org">security@nifi.apache.org</a>. This is a private list monitored by the <a href="people.html">PMC</a>. For sensitive
disclosures, the GPG key fingerprint is <strong>1230 3BB8 1F22 E11C 8725 926A AFF2 B368 23B9 44E9</strong>.
</li>
- <li>NiFi has a <a href="https://hackerone.com/apache_nifi" target="_blank">HackerOne</a> project page. HackerOne provides a triaged process for researchers and organizations to
+ <li>NiFi has a <a href="https://hackerone.com/apachenifi" target="_blank">HackerOne</a> project page. HackerOne provides a triaged process for researchers and organizations to
collaboratively report and resolve security vulnerabilities.
</li>
</ul>