Common Vulnerabilities and Exposures
Lists common vulnerabilities and exposures fixed in HDF 3.5.2.
The following CVEs have been fixed in HDF 3.5.2:
log4j vulnerability patches
On December 21, 2021 Cloudera released a hotfix for Cloudera Flow Management on Private Cloud Base. It addresses 2 CVEs and other vulnerability concerns as listed below. Cloudera urges all customers to upgrade their DataFlow services to the latest version.
-
CVE-2021-44228 which affects Apache Log4j2 versions 2.0 through 2.14.1.
-
CVE-2021-45046 which affects Apache Log4j2 version 2.15.0
-
LOGBACK-1591 which affects logback versions <= 1.2.7
 | Important |
|---|---|
NiFi contains the vulnerable log4j2 libraries and should be updated. For information about the available hotfix, contact your Cloudera Support representative. Cloudera is not aware of known exploitation paths within CFM for Private Cloud Base, however upgrading protects against the possibility of any exploitation. |
CVE-2020-9486
Component: Apache NiFi
Description: The NiFi stateless execution engine produced log output which included sensitive property values. When a flow was triggered, the flow definition configuration JSON was printed, potentially containing sensitive values in plaintext.
Severity: Important
Versions Affected: Apache NiFi 1.10.0 - 1.11.4
Apache CVE Report Link: https://nifi.apache.org/security.html#CVE-2020-9486
CVE-2020-9487
Component: Apache NiFi
Description: The NiFi download token (one-time password) mechanism used a fixed cache size and did not authenticate a request to create a download token, only when attempting to use the token to access the content. An unauthenticated user could repeatedly request download tokens, preventing legitimate users from requesting download tokens.
Severity: Important
Versions Affected: Apache NiFi 1.0.0 - 1.11.4
Apache CVE Report Link: https://nifi.apache.org/security.html#CVE-2020-9487
CVE-2020-9491
Component: Apache NiFi
Description: The NiFi UI and API were protected by mandating TLS v1.2, as well as
listening connections established by processors like ListenHTTP,
HandleHttpRequest, etc. However intracluster communication such as
cluster request replication, Site-to-Site, and load balanced queues continued to support
TLS v1.0 or v1.1.
Severity: Critical
Versions Affected: Apache NiFi 1.2.0 - 1.11.4
Apache CVE Report Link: https://nifi.apache.org/security.html#CVE-2020-9491
CVE-2020-13940
Component: Apache NiFi
Description: The notification service manager and various policy authorizer and user group provider objects allowed trusted administrators to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE).
Severity: Low
Versions Affected: Apache NiFi 1.0.0 - 1.11.4
Apache CVE Report Link: https://nifi.apache.org/security.html#CVE-2020-13940