You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by al...@apache.org on 2018/01/25 19:51:40 UTC
svn commit: r1822223 - /nifi/site/trunk/security.html
Author: alopresto
Date: Thu Jan 25 19:51:39 2018
New Revision: 1822223
URL: http://svn.apache.org/viewvc?rev=1822223&view=rev
Log:
Added CVE-2017-15703 to security.html.
Modified:
nifi/site/trunk/security.html
Modified: nifi/site/trunk/security.html
URL: http://svn.apache.org/viewvc/nifi/site/trunk/security.html?rev=1822223&r1=1822222&r2=1822223&view=diff
==============================================================================
--- nifi/site/trunk/security.html (original)
+++ nifi/site/trunk/security.html Thu Jan 25 19:51:39 2018
@@ -156,7 +156,7 @@
<div class="row">
<div class="large-12 columns">
<p><a id="CVE-2017-12632" href="#CVE-2017-12632"><strong>CVE-2017-12632</strong></a>: Apache NiFi host header poisoning issue</p>
- <p>Severity: <strong>Medium</strong></p>
+ <p>Severity: <strong>Moderate</strong></p>
<p>Versions Affected:</p>
<ul>
<li>Apache NiFi 0.1.0 - 1.4.0</li>
@@ -171,7 +171,7 @@
<div class="row">
<div class="large-12 columns">
<p><a id="CVE-2017-15697" href="#CVE-2017-15697"><strong>CVE-2017-15697</strong></a>: Apache NiFi XSS issue in context path handling</p>
- <p>Severity: <strong>Medium</strong></p>
+ <p>Severity: <strong>Moderate</strong></p>
<p>Versions Affected:</p>
<ul>
<li>Apache NiFi 1.0.0 - 1.4.0</li>
@@ -192,7 +192,7 @@
<div class="row">
<div class="large-12 columns">
<p><a id="CVE-2017-12623" href="#CVE-2017-12623"><b>CVE-2017-12623</b></a>: Apache NiFi XXE issue in template XML upload</p>
- <p>Severity: <del><b>Medium</b></del> <strong>Important</strong></p>
+ <p>Severity: <del><b>Moderate</b></del> <strong>Important</strong></p>
<p>Versions Affected:</p>
<ul>
<li>Apache NiFi 1.0.0 - 1.3.0</li>
@@ -204,6 +204,21 @@
<p>Released: October 2, 2017 (Updated January 23, 2018)</p>
</div>
</div>
+<div class="row">
+ <div class="large-12 columns">
+ <p><a id="CVE-2017-15703" href="#CVE-2017-15703"><b>CVE-2017-15703</b></a>: Apache NiFi Java deserialization issue in template XML upload</p>
+ <p>Severity: <strong>Moderate</strong></p>
+ <p>Versions Affected:</p>
+ <ul>
+ <li>Apache NiFi 1.0.0 - 1.3.0</li>
+ </ul>
+ </p>
+ <p>Description: Any authenticated user (valid client certificate but without ACL permissions) could upload a template which contained malicious code and caused a denial of service via Java deserialization attack. </p>
+ <p>Mitigation: The fix to properly handle Java deserialization was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should upgrade to the appropriate release. </p>
+ <p>Credit: This issue was discovered by Mike Cole. </p>
+ <p>Released: October 2, 2017 (Updated January 25, 2018)</p>
+ </div>
+</div>
<div class="medium-space"></div>
<div class="row">
<div class="large-12 columns features">