You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@nifi.apache.org by Dnyaneshwar Pawar <dn...@persistent.com> on 2018/10/10 07:05:10 UTC
Security issues for NiFi's supporting libs.
Hi,
We are using Apache NiFi 1.7.0 and the security scan has high severity issues for Bouncy castle bcprov-jdk15on-1.59 and Apache's commons-codec lib. How should we address them? The Bouncy Castle upgraded them to fix the issues. What about commons codec and are they available in 1.7.1?
Thanks in advance.
Regards,
Dnyaneshwar Pawar
DISCLAIMER
==========
This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails.
Re: Security issues for NiFi's supporting libs.
Posted by Andy LoPresto <al...@gmail.com>.
Please stop replying to this thread. You can follow up on the private thread between you and the Apache NiFi security team for more information.
Andy LoPresto
alopresto@apache.org
alopresto.apache@gmail.com
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69
> On Oct 15, 2018, at 14:49, Dnyaneshwar Pawar <dn...@persistent.com> wrote:
>
> Thank You for your reply. Is there any official documentation or link where we can point and assure our user about this?
> Basically there scan is reporting CVE-2018-1000613, CVE-2018-1000180, 2009-0001 issues.
>
>
> Regards,
> Dnyaneshwar Pawar
>
> From: Andy LoPresto <al...@apache.org>
> Sent: Wednesday, October 10, 2018 6:37 PM
> To: users@nifi.apache.org
> Subject: Re: Security issues for NiFi's supporting libs.
>
> The Apache NiFi security team has responded to these messages via private email. For all interested parties, please know that NiFi is not vulnerable to CVE-2018-1000613 and further discussion is needed for the second CVE listed as this issued number does not match the description provided.
>
> All users should refer to the Apache NiFi Security Reporting Guidelines for coordinated disclosure process [1].
>
> [1] https://nifi.apache.org/security.html
>
>
> Andy LoPresto
> alopresto@apache.org
> alopresto.apache@gmail.com
> PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69
>
> On Oct 10, 2018, at 4:50 PM, Dnyaneshwar Pawar <dn...@persistent.com> wrote:
>
> More organized information.
>
> Vulnarability
> Severity
> Package/jar
> Description
> CVE-2018-1000613
> High
> bcprov-jdk15on-1.59.jar
> Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptography APIs version prior to version 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in XMSS/XMSS^MT private key deserialization that can result in Deserializing an XMSS/XMSS^MT private key can result in the execution of unexpected code.. This attack appear to be exploitable via A handcrafted private key can include references to unexpected classes which will be picked up from the class path for the executing application.. This vulnerability appears to have been fixed in 1.60 and later.
>
> CVE 2009-0001
> Medium
> commons-codec-1.11.jar
>
> Not all "business" method implementations of public API in Apache Commons Codec 1.x are thread safe, which might disclose the wrong data or allow an attacker to change non-private fields.
>
>
> From: Dnyaneshwar Pawar <dn...@persistent.com>
> Sent: Wednesday, October 10, 2018 12:35 PM
> To: users@nifi.apache.org
> Subject: Security issues for NiFi's supporting libs.
>
> Hi,
>
> We are using Apache NiFi 1.7.0 and the security scan has high severity issues for Bouncy castle bcprov-jdk15on-1.59 and Apache’s commons-codec lib. How should we address them? The Bouncy Castle upgraded them to fix the issues. What about commons codec and are they available in 1.7.1?
>
> Thanks in advance.
>
> Regards,
> Dnyaneshwar Pawar
>
> DISCLAIMER
> ==========
> This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails.
>
RE: Security issues for NiFi's supporting libs.
Posted by Dnyaneshwar Pawar <dn...@persistent.com>.
Thank You for your reply. Is there any official documentation or link where we can point and assure our user about this?
Basically there scan is reporting CVE-2018-1000613, CVE-2018-1000180, 2009-0001 issues.
Regards,
Dnyaneshwar Pawar
From: Andy LoPresto <al...@apache.org>
Sent: Wednesday, October 10, 2018 6:37 PM
To: users@nifi.apache.org
Subject: Re: Security issues for NiFi's supporting libs.
The Apache NiFi security team has responded to these messages via private email. For all interested parties, please know that NiFi is not vulnerable to CVE-2018-1000613 and further discussion is needed for the second CVE listed as this issued number does not match the description provided.
All users should refer to the Apache NiFi Security Reporting Guidelines for coordinated disclosure process [1].
[1] https://nifi.apache.org/security.html
Andy LoPresto
alopresto@apache.org<ma...@apache.org>
alopresto.apache@gmail.com<ma...@gmail.com>
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69
On Oct 10, 2018, at 4:50 PM, Dnyaneshwar Pawar <dn...@persistent.com>> wrote:
More organized information.
Vulnarability
Severity
Package/jar
Description
CVE-2018-1000613
High
bcprov-jdk15on-1.59.jar
Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptography APIs version prior to version 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in XMSS/XMSS^MT private key deserialization that can result in Deserializing an XMSS/XMSS^MT private key can result in the execution of unexpected code.. This attack appear to be exploitable via A handcrafted private key can include references to unexpected classes which will be picked up from the class path for the executing application.. This vulnerability appears to have been fixed in 1.60 and later.
CVE 2009-0001
Medium
commons-codec-1.11.jar
Not all "business" method implementations of public API in Apache Commons Codec 1.x are thread safe, which might disclose the wrong data or allow an attacker to change non-private fields.
From: Dnyaneshwar Pawar <dn...@persistent.com>>
Sent: Wednesday, October 10, 2018 12:35 PM
To: users@nifi.apache.org<ma...@nifi.apache.org>
Subject: Security issues for NiFi's supporting libs.
Hi,
We are using Apache NiFi 1.7.0 and the security scan has high severity issues for Bouncy castle bcprov-jdk15on-1.59 and Apache’s commons-codec lib. How should we address them? The Bouncy Castle upgraded them to fix the issues. What about commons codec and are they available in 1.7.1?
Thanks in advance.
Regards,
Dnyaneshwar Pawar
DISCLAIMER
==========
This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails.
Re: Security issues for NiFi's supporting libs.
Posted by Andy LoPresto <al...@apache.org>.
The Apache NiFi security team has responded to these messages via private email. For all interested parties, please know that NiFi is not vulnerable to CVE-2018-1000613 and further discussion is needed for the second CVE listed as this issued number does not match the description provided.
All users should refer to the Apache NiFi Security Reporting Guidelines for coordinated disclosure process [1].
[1] https://nifi.apache.org/security.html
Andy LoPresto
alopresto@apache.org
alopresto.apache@gmail.com
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69
> On Oct 10, 2018, at 4:50 PM, Dnyaneshwar Pawar <dn...@persistent.com> wrote:
>
> More organized information.
>
> Vulnarability
> Severity
> Package/jar
> Description
> CVE-2018-1000613
> High
> bcprov-jdk15on-1.59.jar
> Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptography APIs version prior to version 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in XMSS/XMSS^MT private key deserialization that can result in Deserializing an XMSS/XMSS^MT private key can result in the execution of unexpected code.. This attack appear to be exploitable via A handcrafted private key can include references to unexpected classes which will be picked up from the class path for the executing application.. This vulnerability appears to have been fixed in 1.60 and later.
>
> CVE 2009-0001
> Medium
> commons-codec-1.11.jar
>
> Not all "business" method implementations of public API in Apache Commons Codec 1.x are thread safe, which might disclose the wrong data or allow an attacker to change non-private fields.
>
>
> From: Dnyaneshwar Pawar <dn...@persistent.com>
> Sent: Wednesday, October 10, 2018 12:35 PM
> To: users@nifi.apache.org
> Subject: Security issues for NiFi's supporting libs.
>
> Hi,
>
> We are using Apache NiFi 1.7.0 and the security scan has high severity issues for Bouncy castle bcprov-jdk15on-1.59 and Apache’s commons-codec lib. How should we address them? The Bouncy Castle upgraded them to fix the issues. What about commons codec and are they available in 1.7.1?
>
> Thanks in advance.
>
> Regards,
> Dnyaneshwar Pawar
>
> DISCLAIMER
> ==========
> This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails.
RE: Security issues for NiFi's supporting libs.
Posted by Dnyaneshwar Pawar <dn...@persistent.com>.
More organized information.
Vulnarability
Severity
Package/jar
Description
CVE-2018-1000613
High
bcprov-jdk15on-1.59.jar
Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptography APIs version prior to version 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in XMSS/XMSS^MT private key deserialization that can result in Deserializing an XMSS/XMSS^MT private key can result in the execution of unexpected code.. This attack appear to be exploitable via A handcrafted private key can include references to unexpected classes which will be picked up from the class path for the executing application.. This vulnerability appears to have been fixed in 1.60 and later.
CVE 2009-0001
Medium
commons-codec-1.11.jar
Not all "business" method implementations of public API in Apache Commons Codec 1.x are thread safe, which might disclose the wrong data or allow an attacker to change non-private fields.
From: Dnyaneshwar Pawar <dn...@persistent.com>
Sent: Wednesday, October 10, 2018 12:35 PM
To: users@nifi.apache.org
Subject: Security issues for NiFi's supporting libs.
Hi,
We are using Apache NiFi 1.7.0 and the security scan has high severity issues for Bouncy castle bcprov-jdk15on-1.59 and Apache's commons-codec lib. How should we address them? The Bouncy Castle upgraded them to fix the issues. What about commons codec and are they available in 1.7.1?
Thanks in advance.
Regards,
Dnyaneshwar Pawar
DISCLAIMER
==========
This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails.