You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by al...@apache.org on 2018/01/25 19:51:40 UTC
svn commit: r1822223 - /nifi/site/trunk/security.html

Author: alopresto
Date: Thu Jan 25 19:51:39 2018
New Revision: 1822223

URL: http://svn.apache.org/viewvc?rev=1822223&view=rev
Log:
Added CVE-2017-15703 to security.html.

Modified:
    nifi/site/trunk/security.html

Modified: nifi/site/trunk/security.html
URL: http://svn.apache.org/viewvc/nifi/site/trunk/security.html?rev=1822223&r1=1822222&r2=1822223&view=diff
==============================================================================
--- nifi/site/trunk/security.html (original)
+++ nifi/site/trunk/security.html Thu Jan 25 19:51:39 2018
@@ -156,7 +156,7 @@
 <div class="row">
     <div class="large-12 columns">
         <p><a id="CVE-2017-12632" href="#CVE-2017-12632"><strong>CVE-2017-12632</strong></a>: Apache NiFi host header poisoning issue</p>
-        <p>Severity: <strong>Medium</strong></p>
+        <p>Severity: <strong>Moderate</strong></p>
         <p>Versions Affected:</p>
         <ul>
             <li>Apache NiFi 0.1.0 - 1.4.0</li>
@@ -171,7 +171,7 @@
 <div class="row">
     <div class="large-12 columns">
         <p><a id="CVE-2017-15697" href="#CVE-2017-15697"><strong>CVE-2017-15697</strong></a>: Apache NiFi XSS issue in context path handling</p>
-        <p>Severity: <strong>Medium</strong></p>
+        <p>Severity: <strong>Moderate</strong></p>
         <p>Versions Affected:</p>
         <ul>
             <li>Apache NiFi 1.0.0 - 1.4.0</li>
@@ -192,7 +192,7 @@
 <div class="row">
     <div class="large-12 columns">
         <p><a id="CVE-2017-12623" href="#CVE-2017-12623"><b>CVE-2017-12623</b></a>: Apache NiFi XXE issue in template XML upload</p>
-        <p>Severity: <del><b>Medium</b></del> <strong>Important</strong></p>
+        <p>Severity: <del><b>Moderate</b></del> <strong>Important</strong></p>
         <p>Versions Affected:</p>
         <ul>
             <li>Apache NiFi 1.0.0 - 1.3.0</li>
@@ -204,6 +204,21 @@
         <p>Released: October 2, 2017 (Updated January 23, 2018)</p>
     </div>
 </div>
+<div class="row">
+    <div class="large-12 columns">
+        <p><a id="CVE-2017-15703" href="#CVE-2017-15703"><b>CVE-2017-15703</b></a>: Apache NiFi Java deserialization issue in template XML upload</p>
+        <p>Severity: <strong>Moderate</strong></p>
+        <p>Versions Affected:</p>
+        <ul>
+            <li>Apache NiFi 1.0.0 - 1.3.0</li>
+        </ul>
+        </p>
+        <p>Description: Any authenticated user (valid client certificate but without ACL permissions) could upload a template which contained malicious code and caused a denial of service via Java deserialization attack. </p>
+        <p>Mitigation: The fix to properly handle Java deserialization was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should upgrade to the appropriate release. </p>
+        <p>Credit: This issue was discovered by Mike Cole. </p>
+        <p>Released: October 2, 2017 (Updated January 25, 2018)</p>
+    </div>
+</div>
 <div class="medium-space"></div>
 <div class="row">
     <div class="large-12 columns features">