Re: CVE-2022-42889 and impact on Apache Nifi

[James <ge...@gmail.com>]

Hi

Do you know if a 1.18.1 version will be released for this, even if it is
just "cosmetic"? This statement is pretty accurate for something like this:
"upgrade to stop the endless high prio Excel sheets with vulnerability
scanner results showing our NiFi servers having the vulnerable library
present on disk"

If it has been decided that you're waiting for a 1.19 release instead, is
there a timeline I can quote in response to the emails?

Thanks for all the work done on Nifi!

James

On Mon, Oct 24, 2022 at 3:22 PM Isha Lamboo <is...@virtualsciences.nl>
wrote:

> I second Tom's sentiment. It would be very much appreciated that we can go
> ahead and upgrade to stop the endless high prio Excel sheets with
> vulnerability scanner results showing our NiFi servers having the
> vulnerable library present on disk.
>
> The Github pull requests mentions this: "The upgrade mitigates
> CVE-2022-42889, although Apache NiFi does not include any direct references
> to vulnerable instances of the StringLookup class."
>
> An official statement along those lines would also help, but after log4j
> it seems upgrading away the vulnerabilities is less work than managing scan
> results and waivers.
>
> Regards,
>
> Isha
>
> -----Oorspronkelijk bericht-----
> Van: Tom Coudyzer <tc...@gmail.com>
> Verzonden: vrijdag 21 oktober 2022 20:21
> Aan: users@nifi.apache.org
> Onderwerp: Re: CVE-2022-42889 and impact on Apache Nifi
>
> Hi,
>
> Apologies if I posted through the wrong channels. Will have a look to the
> guidelines.
> Thanks 🙏  for sharing the pointers on the work that has been done!
>
> 1.18.1 could be a good idea I think as you say it would let people more
> comfortable as there is much noise around this CVE and the immediate
> conclusion that a patch is needed while it may be a product is not
> vulnerable to it although having the library as a dependency.
>
> Thanks again!
>
> /Tom
>
>
> > On 21 Oct 2022, at 20:10, Joe Witt <jo...@gmail.com> wrote:
> >
> > Tom
> >
> > In the future if you're concerned or have questions about a
> > vulnerability/potential vulnerability please follow the guidance here.
> >
> > https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnifi
> > .apache.org%2Fsecurity.html&amp;data=05%7C01%7Cisha.lamboo%40virtualsc
> > iences.nl%7Cead4aedb1e194bf71e2608dab391076a%7C21429da9e4ad45f99a6fcd1
> > 26a64274b%7C0%7C0%7C638019732721385842%7CUnknown%7CTWFpbGZsb3d8eyJWIjo
> > iMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%
> > 7C%7C&amp;sdata=fvlXGKvjL57mhwNFCuHFadP%2BBIb1bzpxojo9sf0yLCk%3D&amp;r
> > eserved=0
> >
> > Here you can see what we've done for this already on main
> > https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissu
> > es.apache.org%2Fjira%2Fbrowse%2FNIFI-10648&amp;data=05%7C01%7Cisha.lam
> > boo%40virtualsciences.nl%7Cead4aedb1e194bf71e2608dab391076a%7C21429da9
> > e4ad45f99a6fcd126a64274b%7C0%7C0%7C638019732721542087%7CUnknown%7CTWFp
> > bGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn
> > 0%3D%7C3000%7C%7C%7C&amp;sdata=3ZcHs%2Fk%2BTq9KQNHUSuqgQs1snjqYA9UeqFA
> > ajWWD35A%3D&amp;reserved=0 with more info in
> > https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgith
> > ub.com%2Fapache%2Fnifi%2Fpull%2F6531&amp;data=05%7C01%7Cisha.lamboo%40
> > virtualsciences.nl%7Cead4aedb1e194bf71e2608dab391076a%7C21429da9e4ad45
> > f99a6fcd126a64274b%7C0%7C0%7C638019732721542087%7CUnknown%7CTWFpbGZsb3
> > d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7
> > C3000%7C%7C%7C&amp;sdata=1FqnqsteyJJbYvfdu%2FVGs9L%2BJHsuaYVwwl2HP4ie%
> > 2Bvg%3D&amp;reserved=0
> >
> > It doesn't seem like it thus far but might be worth kicking out a
> > 1.18.1 just to help people feel more comfortable.  Will share more if
> > that shapes up.
> >
> > Thanks
> > Joe
> >
> >> On Fri, Oct 21, 2022 at 10:50 AM Tom Coudyzer <tc...@gmail.com>
> wrote:
> >>
> >> Hi,
> >>
> >> I looked on the Apache Nifi site and linked sites to find information
> on how CVE-2022-42889 impacts Apache Nifi.
> >>
> >> I found an issue report and merge request which indicates the library
> >> Apache Commons Text has been upgraded to the patched version (1.10)
> >> and it will be part of v1.19.0
> >>
> >> I could however not find when this version will be released. Could that
> be checked somewhere?
> >>
> >> Second question is if Nifi is impacted by this vulnerability because it
> could be that the usage of this library in Apache Nifi does not allow it to
> exploit this vulnerability.
> >>
> >> Thank you very much for any feedback and thank you to the open source
> community for having made Apache Nifi and maintaining/improving this
> product.
> >>
> >> /Tom
>

Re: CVE-2022-42889 and impact on Apache Nifi

[Joe Witt <jo...@gmail.com>]

James,

There is no specific timeline determined for 1.19.0 at this moment but we
likely could just choose to spin a release there.  I will initiate a 1.19
discussion now (that will be on dev if you want to follow along)

I don't see 1.18.1 as ultra realistic as we've made so many dependency
updates and such that we really ought to move forward with new
capabilities, fixes, and security related items (like this) that we have
now.

Thanks
Joe



On Thu, Nov 10, 2022 at 12:28 PM James <ge...@gmail.com> wrote:

> Hi
>
> Do you know if a 1.18.1 version will be released for this, even if it is
> just "cosmetic"? This statement is pretty accurate for something like this:
> "upgrade to stop the endless high prio Excel sheets with vulnerability
> scanner results showing our NiFi servers having the vulnerable library
> present on disk"
>
> If it has been decided that you're waiting for a 1.19 release instead, is
> there a timeline I can quote in response to the emails?
>
> Thanks for all the work done on Nifi!
>
> James
>
> On Mon, Oct 24, 2022 at 3:22 PM Isha Lamboo <
> isha.lamboo@virtualsciences.nl> wrote:
>
>> I second Tom's sentiment. It would be very much appreciated that we can
>> go ahead and upgrade to stop the endless high prio Excel sheets with
>> vulnerability scanner results showing our NiFi servers having the
>> vulnerable library present on disk.
>>
>> The Github pull requests mentions this: "The upgrade mitigates
>> CVE-2022-42889, although Apache NiFi does not include any direct references
>> to vulnerable instances of the StringLookup class."
>>
>> An official statement along those lines would also help, but after log4j
>> it seems upgrading away the vulnerabilities is less work than managing scan
>> results and waivers.
>>
>> Regards,
>>
>> Isha
>>
>> -----Oorspronkelijk bericht-----
>> Van: Tom Coudyzer <tc...@gmail.com>
>> Verzonden: vrijdag 21 oktober 2022 20:21
>> Aan: users@nifi.apache.org
>> Onderwerp: Re: CVE-2022-42889 and impact on Apache Nifi
>>
>> Hi,
>>
>> Apologies if I posted through the wrong channels. Will have a look to the
>> guidelines.
>> Thanks 🙏  for sharing the pointers on the work that has been done!
>>
>> 1.18.1 could be a good idea I think as you say it would let people more
>> comfortable as there is much noise around this CVE and the immediate
>> conclusion that a patch is needed while it may be a product is not
>> vulnerable to it although having the library as a dependency.
>>
>> Thanks again!
>>
>> /Tom
>>
>>
>> > On 21 Oct 2022, at 20:10, Joe Witt <jo...@gmail.com> wrote:
>> >
>> > Tom
>> >
>> > In the future if you're concerned or have questions about a
>> > vulnerability/potential vulnerability please follow the guidance here.
>> >
>> > https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnifi
>> > .apache.org%2Fsecurity.html&amp;data=05%7C01%7Cisha.lamboo%40virtualsc
>> > iences.nl%7Cead4aedb1e194bf71e2608dab391076a%7C21429da9e4ad45f99a6fcd1
>> > 26a64274b%7C0%7C0%7C638019732721385842%7CUnknown%7CTWFpbGZsb3d8eyJWIjo
>> > iMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%
>> > 7C%7C&amp;sdata=fvlXGKvjL57mhwNFCuHFadP%2BBIb1bzpxojo9sf0yLCk%3D&amp;r
>> > eserved=0
>> >
>> > Here you can see what we've done for this already on main
>> > https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissu
>> > es.apache.org%2Fjira%2Fbrowse%2FNIFI-10648&amp;data=05%7C01%7Cisha.lam
>> > boo%40virtualsciences.nl%7Cead4aedb1e194bf71e2608dab391076a%7C21429da9
>> > e4ad45f99a6fcd126a64274b%7C0%7C0%7C638019732721542087%7CUnknown%7CTWFp
>> > bGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn
>> > 0%3D%7C3000%7C%7C%7C&amp;sdata=3ZcHs%2Fk%2BTq9KQNHUSuqgQs1snjqYA9UeqFA
>> > ajWWD35A%3D&amp;reserved=0 with more info in
>> > https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgith
>> > ub.com%2Fapache%2Fnifi%2Fpull%2F6531&amp;data=05%7C01%7Cisha.lamboo%40
>> > virtualsciences.nl%7Cead4aedb1e194bf71e2608dab391076a%7C21429da9e4ad45
>> > f99a6fcd126a64274b%7C0%7C0%7C638019732721542087%7CUnknown%7CTWFpbGZsb3
>> > d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7
>> > C3000%7C%7C%7C&amp;sdata=1FqnqsteyJJbYvfdu%2FVGs9L%2BJHsuaYVwwl2HP4ie%
>> > 2Bvg%3D&amp;reserved=0
>> >
>> > It doesn't seem like it thus far but might be worth kicking out a
>> > 1.18.1 just to help people feel more comfortable.  Will share more if
>> > that shapes up.
>> >
>> > Thanks
>> > Joe
>> >
>> >> On Fri, Oct 21, 2022 at 10:50 AM Tom Coudyzer <tc...@gmail.com>
>> wrote:
>> >>
>> >> Hi,
>> >>
>> >> I looked on the Apache Nifi site and linked sites to find information
>> on how CVE-2022-42889 impacts Apache Nifi.
>> >>
>> >> I found an issue report and merge request which indicates the library
>> >> Apache Commons Text has been upgraded to the patched version (1.10)
>> >> and it will be part of v1.19.0
>> >>
>> >> I could however not find when this version will be released. Could
>> that be checked somewhere?
>> >>
>> >> Second question is if Nifi is impacted by this vulnerability because
>> it could be that the usage of this library in Apache Nifi does not allow it
>> to exploit this vulnerability.
>> >>
>> >> Thank you very much for any feedback and thank you to the open source
>> community for having made Apache Nifi and maintaining/improving this
>> product.
>> >>
>> >> /Tom
>>
>