You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by mc...@apache.org on 2017/06/11 12:36:03 UTC
svn commit: r1798361 - /nifi/site/trunk/security.html
Author: mcgilman
Date: Sun Jun 11 12:36:03 2017
New Revision: 1798361
URL: http://svn.apache.org/viewvc?rev=1798361&view=rev
Log:
CVE announce for 1.3.0 and 0.7.4
Modified:
nifi/site/trunk/security.html
Modified: nifi/site/trunk/security.html
URL: http://svn.apache.org/viewvc/nifi/site/trunk/security.html?rev=1798361&r1=1798360&r2=1798361&view=diff
==============================================================================
--- nifi/site/trunk/security.html (original)
+++ nifi/site/trunk/security.html Sun Jun 11 12:36:03 2017
@@ -114,31 +114,76 @@
</div>
</div>
<div class="row">
- <div class="large-12 columns">
- <p>Apache NiFi welcomes the responsible reporting of security vulnerabilities. The NiFi team believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will work with you to resolve the issue promptly.</p>
- <h3>Disclosure Policy</h3>
- <ul>
- <li>Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.</li>
- <li>Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.</li>
- <li>Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.</li>
- </ul>
- <h3>Exclusions</h3>
- <p>While researching, we'd like to ask you to refrain from:</p>
- <ul>
+ <div class="large-12 columns">
+ <p>Apache NiFi welcomes the responsible reporting of security vulnerabilities. The NiFi team believes that working with skilled security researchers across the globe is crucial in identifying
+ weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will work with you to resolve the issue
+ promptly.</p>
+ <h3>Disclosure Policy</h3>
+ <ul>
+ <li>Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.</li>
+ <li>Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.</li>
+ <li>Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit
+ permission of the account holder.
+ </li>
+ </ul>
+ <h3>Exclusions</h3>
+ <p>While researching, we'd like to ask you to refrain from:</p>
+ <ul>
<li>Denial of service</li>
<li>Spamming</li>
<li>Social engineering (including phishing) of Apache NiFi staff or contractors</li>
<li>Any physical attempts against Apache NiFi property or data centers</li>
- </ul>
- <h3>Reporting Methods</h3>
- <p>NiFi accepts reports in multiple ways:</p>
- <ul>
- <li>Send an email to <a href="mailto:security@nifi.apache.org">security@nifi.apache.org</a>. This is a private list monitored by the <a href="people.html">PMC</a>. For sensitive disclosures, the GPG key fingerprint is <strong>1230 3BB8 1F22 E11C 8725 926A AFF2 B368 23B9 44E9</strong>.</li>
- <li>NiFi has a <a href="https://hackerone.com/apache_nifi" target="_blank">HackerOne</a> project page. HackerOne provides a triaged process for researchers and organizations to collaboratively report and resolve security vulnerabilities.</li>
- </ul>
- <p>Thank you for helping keep Apache NiFi and our users safe!</p>
- </div>
- </div>
+ </ul>
+ <h3>Reporting Methods</h3>
+ <p>NiFi accepts reports in multiple ways:</p>
+ <ul>
+ <li>Send an email to <a href="mailto:security@nifi.apache.org">security@nifi.apache.org</a>. This is a private list monitored by the <a href="people.html">PMC</a>. For sensitive
+ disclosures, the GPG key fingerprint is <strong>1230 3BB8 1F22 E11C 8725 926A AFF2 B368 23B9 44E9</strong>.
+ </li>
+ <li>NiFi has a <a href="https://hackerone.com/apache_nifi" target="_blank">HackerOne</a> project page. HackerOne provides a triaged process for researchers and organizations to
+ collaboratively report and resolve security vulnerabilities.
+ </li>
+ </ul>
+ <p>Thank you for helping keep Apache NiFi and our users safe!</p>
+ </div>
+</div>
+<div class="medium-space"></div>
+<div class="row">
+ <div class="large-12 columns features">
+ <h2>Fixed in Apache NiFi 0.7.4 and 1.3.0</h2>
+ </div>
+</div>
+<div class="row">
+ <div class="large-12 columns">
+ <p><b>CVE-2017-7665</b>: Apache NiFi XSS issue on certain user input components</p>
+ <p>Severity: <b>Important</b></p>
+ <p>Versions Affected:</p>
+ <ul>
+ <li>Apache NiFi 0.0.1 - 0.7.3</li>
+ <li>Apache NiFi 1.0.0 - 1.2.0</li>
+ </ul>
+ </p>
+ <p>Description: There are certain user input components in the Apache NiFi UI which had been guarding for some forms of XSS issues but were insufficient. </p>
+ <p>Mitigation: The fix for more complete user input sanitization will be applied on Apache NiFi 0.7.4 and Apache NiFi 1.3.0 releases. Users running a prior 0.x or 1.x release should upgrade to
+ the appropriate release. </p>
+ <p>Credit: This issue was discovered by Matt Gilman.</p>
+ </div>
+</div>
+<div class="row">
+ <div class="large-12 columns">
+ <p><b>CVE-2107-7667</b>: Apache NiFi XFS issue due to insufficient response headers</p>
+ <p>Severity: <b>Important</b></p>
+ <p>Versions Affected:</p>
+ <ul>
+ <li>Apache NiFi 0.0.1 - 0.7.3</li>
+ <li>Apache NiFi 1.0.0 - 1.2.0</li>
+ </ul>
+ </p>
+ <p>Description: Apache NiFi needs to establish the response header telling browsers to only allow framing with the same origin. </p>
+ <p>Mitigation: The fix to set this response header will be applied on Apache NiFi 0.7.4 and Apache NiFi 1.3.0 releases. Users running a prior 0.x or 1.x release should upgrade to the
+ appropriate release. </p>
+ <p>Credit: This issue was discovered by Matt Gilman.</p>
+ </div>
</div>
<div class="medium-space"></div>
<div class="row">
@@ -147,40 +192,44 @@
</div>
</div>
<div class="row">
- <div class="large-12 columns">
- <p><b>CVE-2107-5635</b>: Apache NiFi Unauthorized Data Access In Cluster Environment</p>
- <p>Severity: <b>Important</b></p>
- <p>Versions Affected:</p>
- <ul>
- <li>Apache NiFi 0.7.0</li>
- <li>Apache NiFi 0.7.1</li>
- <li>Apache NiFi 1.1.0</li>
- <li>Apache NiFi 1.1.1</li>
- </ul>
- </p>
- <p>Description: In a cluster environment, if an anonymous user request is replicated to another node, the originating node identity is used rather than the âanonymousâ user. </p>
- <p>Mitigation: A fix has been provided (removing the negative check for anonymous user before building the proxy chain and throwing an exception, and evaluating each user in the proxy chain iteration and comparing against a static constant anonymous user). This fix was applied in NIFI-3487 and released in Apache NiFi 0.7.2 and 1.1.2. 1.x users running a clustered environment should upgrade to 1.1.2. 0.x users running a clustered environment should upgrade to 0.7.2. Additional migration guidance can be found <a href="https://cwiki.apache.org/confluence/display/NIFI/Migration+Guidance">here</a>. </p>
- <p>Credit: This issue was discovered by Leonardo Dias in conjunction with Matt Gilman.</p>
- </div>
- </div>
-</div>
-<div class="row">
- <div class="large-12 columns">
- <p><b>CVE-2107-5636</b>: Apache NiFi User Impersonation In Cluster Environment</p>
- <p>Severity: <b>Moderate</b></p>
- <p>Versions Affected:</p>
- <ul>
- <li>Apache NiFi 0.7.0</li>
- <li>Apache NiFi 0.7.1</li>
- <li>Apache NiFi 1.1.0</li>
- <li>Apache NiFi 1.1.1</li>
- </ul>
- </p>
- <p>Description: In a cluster environment, the proxy chain serialization/deserialization is vulnerable to an injection attack where a carefully crafted username could impersonate another user and gain their permissions on a replicated request to another node. </p>
- <p>Mitigation: A fix has been provided (modification of the tokenization code and sanitization of user-provided input). This fix was applied in NIFI-3487 and released in Apache NiFi 0.7.2 and 1.1.2. 1.x users running a clustered environment should upgrade to 1.1.2. 0.x users running a clustered environment should upgrade to 0.7.2. Additional migration guidance can be found <a href="https://cwiki.apache.org/confluence/display/NIFI/Migration+Guidance">here</a>. </p>
- <p>Credit: This issue was discovered by Andy LoPresto.</p>
- </div>
- </div>
+ <div class="large-12 columns">
+ <p><b>CVE-2107-5635</b>: Apache NiFi Unauthorized Data Access In Cluster Environment</p>
+ <p>Severity: <b>Important</b></p>
+ <p>Versions Affected:</p>
+ <ul>
+ <li>Apache NiFi 0.7.0</li>
+ <li>Apache NiFi 0.7.1</li>
+ <li>Apache NiFi 1.1.0</li>
+ <li>Apache NiFi 1.1.1</li>
+ </ul>
+ </p>
+ <p>Description: In a cluster environment, if an anonymous user request is replicated to another node, the originating node identity is used rather than the âanonymousâ user. </p>
+ <p>Mitigation: A fix has been provided (removing the negative check for anonymous user before building the proxy chain and throwing an exception, and evaluating each user in the proxy chain
+ iteration and comparing against a static constant anonymous user). This fix was applied in NIFI-3487 and released in Apache NiFi 0.7.2 and 1.1.2. 1.x users running a clustered environment
+ should upgrade to 1.1.2. 0.x users running a clustered environment should upgrade to 0.7.2. Additional migration guidance can be found <a
+ href="https://cwiki.apache.org/confluence/display/NIFI/Migration+Guidance">here</a>. </p>
+ <p>Credit: This issue was discovered by Leonardo Dias in conjunction with Matt Gilman.</p>
+ </div>
+</div>
+<div class="row">
+ <div class="large-12 columns">
+ <p><b>CVE-2107-5636</b>: Apache NiFi User Impersonation In Cluster Environment</p>
+ <p>Severity: <b>Moderate</b></p>
+ <p>Versions Affected:</p>
+ <ul>
+ <li>Apache NiFi 0.7.0</li>
+ <li>Apache NiFi 0.7.1</li>
+ <li>Apache NiFi 1.1.0</li>
+ <li>Apache NiFi 1.1.1</li>
+ </ul>
+ </p>
+ <p>Description: In a cluster environment, the proxy chain serialization/deserialization is vulnerable to an injection attack where a carefully crafted username could impersonate another user
+ and gain their permissions on a replicated request to another node. </p>
+ <p>Mitigation: A fix has been provided (modification of the tokenization code and sanitization of user-provided input). This fix was applied in NIFI-3487 and released in Apache NiFi 0.7.2 and
+ 1.1.2. 1.x users running a clustered environment should upgrade to 1.1.2. 0.x users running a clustered environment should upgrade to 0.7.2. Additional migration guidance can be found <a
+ href="https://cwiki.apache.org/confluence/display/NIFI/Migration+Guidance">here</a>. </p>
+ <p>Credit: This issue was discovered by Andy LoPresto.</p>
+ </div>
</div>
<div class="medium-space"></div>
<div class="row">
@@ -189,20 +238,21 @@
</div>
</div>
<div class="row">
- <div class="large-12 columns">
- <p><b>CVE-2106-8748</b>: Apache NiFi XSS vulnerability in connection details dialogue</p>
- <p>Severity: <b>Moderate</b></p>
- <p>Versions Affected:</p>
- <ul>
- <li>Apache NiFi 1.0.0</li>
- <li>Apache NiFi 1.1.0</li>
- </ul>
- </p>
- <p>Description: There is a cross-site scripting vulnerability in connection details dialog when accessed by an authorized user. The user supplied text was not being properly handled when added to the DOM.</p>
- <p>Mitigation: 1.0.0 users should upgrade to 1.0.1 or 1.1.1. 1.1.0 users should upgrade to 1.1.1. Additional migration guidance can be found <a href="https://cwiki.apache.org/confluence/display/NIFI/Migration+Guidance">here</a>. </p>
- <p>Credit: This issue was discovered by Matt Gilman of the Apache NiFi PMC during a code review.</p>
- </div>
- </div>
+ <div class="large-12 columns">
+ <p><b>CVE-2106-8748</b>: Apache NiFi XSS vulnerability in connection details dialogue</p>
+ <p>Severity: <b>Moderate</b></p>
+ <p>Versions Affected:</p>
+ <ul>
+ <li>Apache NiFi 1.0.0</li>
+ <li>Apache NiFi 1.1.0</li>
+ </ul>
+ </p>
+ <p>Description: There is a cross-site scripting vulnerability in connection details dialog when accessed by an authorized user. The user supplied text was not being properly handled when added
+ to the DOM.</p>
+ <p>Mitigation: 1.0.0 users should upgrade to 1.0.1 or 1.1.1. 1.1.0 users should upgrade to 1.1.1. Additional migration guidance can be found <a
+ href="https://cwiki.apache.org/confluence/display/NIFI/Migration+Guidance">here</a>. </p>
+ <p>Credit: This issue was discovered by Matt Gilman of the Apache NiFi PMC during a code review.</p>
+ </div>
</div>
<div class="medium-space"></div>
<div class="row">
@@ -211,25 +261,34 @@
</div>
</div>
<div class="row">
- <p class="description">The following lists the severity levels and criteria followed. It closely aligns to and borrows from Apache HTTP Server Project <a href="https://httpd.apache.org/security/impact_levels.html">guidance.</a></p>
- <div class="large-12 columns">
- <table>
- <tr>
- <td>Critical</td>
- <td>A vulnerability rated with a critical impact is one which could be potentially exploited by a remote attacker to get NiFi to execute arbitrary code either as the user the server is running as or root. These are the sorts of vulnerabilities that could be exploited automatically by worms.</td>
- </tr>
- <tr>
- <td>Important</td>
- <td>A vulnerability rated as Important impact is one which could result in the compromise of data or availability of the server. For Apache NiFi this includes issues that allow an easy remote denial of service or access to files that should be otherwise prevented by limits or authentication.</td>
- </tr>
- <tr>
- <td>Moderate</td>
- <td>A vulnerability is likely to be rated as Moderate if there is significant mitigation to make the issue less of an impact. This might be done because the flaw does not affect likely configurations, or it is a configuration that isn't widely used, or where a remote user must be authenticated in order to exploit the issue.</td>
- </tr>
- <tr>
- <td>Low</td>
- <td>All other security flaws are classed as a Low impact. This rating is used for issues that are believed to be extremely hard to exploit, or where an exploit gives minimal consequences.</td>
- </tr>
+ <p class="description">The following lists the severity levels and criteria followed. It closely aligns to and borrows from Apache HTTP Server Project <a
+ href="https://httpd.apache.org/security/impact_levels.html">guidance.</a></p>
+ <div class="large-12 columns">
+ <table>
+ <tr>
+ <td>Critical</td>
+ <td>A vulnerability rated with a critical impact is one which could be potentially exploited by a remote attacker to get NiFi to execute arbitrary code either as the user the server is
+ running as or root. These are the sorts of vulnerabilities that could be exploited automatically by worms.
+ </td>
+ </tr>
+ <tr>
+ <td>Important</td>
+ <td>A vulnerability rated as Important impact is one which could result in the compromise of data or availability of the server. For Apache NiFi this includes issues that allow an easy
+ remote denial of service or access to files that should be otherwise prevented by limits or authentication.
+ </td>
+ </tr>
+ <tr>
+ <td>Moderate</td>
+ <td>A vulnerability is likely to be rated as Moderate if there is significant mitigation to make the issue less of an impact. This might be done because the flaw does not affect likely
+ configurations, or it is a configuration that isn't widely used, or where a remote user must be authenticated in order to exploit the issue.
+ </td>
+ </tr>
+ <tr>
+ <td>Low</td>
+ <td>All other security flaws are classed as a Low impact. This rating is used for issues that are believed to be extremely hard to exploit, or where an exploit gives minimal
+ consequences.
+ </td>
+ </tr>
</table>
</div>
</div>