Fixed CVEs in Flow Management

Review the list of common vulnerabilities and exposures fixed in Cloudera Flow Management (CFM) in Data Hub 7.2.15.

The vulnerable jackson-databind dependency allowed a Java stack overflow exception and denial of service through a large depth of nested objects.
Apache NiFi uses H2 database for storing various NiFi runtime details. H2 database had a critical vulnerability similar to Log4Shell that potentially allows JNDI remote codebase loading. In NiFi, by default, console access to the database is restricted to local machine access only and remote access is disabled, which limits the severity of this vulnerability. More detailed information on the H2 vulnerability can be found in this blog post. Note that the fix for this CVE impacts the list of external databases Cloudera supports for the NiFi Registry instance. See the Support Matrix for more information.
When creating or updating credentials for single-user access, NiFi wrote a copy of the Login Identity Providers configuration to the operating system temporary directory. The Login Identity Providers configuration file contains the username and a bcrypt hash of the configured password. On most platforms, the operating system temporary directory has global read permissions. NiFi immediately moved the temporary file to the final configuration directory, which significantly limited the window of opportunity for access.
Multiple components in Apache NiFi versions 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configuration. The Standard Content Viewer service attempts to resolve XML External Entity references when viewing formatted XML files. The following Processors attempt to resolve XML External Entity references when configured with default property values:
  • EvaluateXPath
  • EvaluateXQuery
  • ValidateXml
Apache NiFi flow configurations that include these processors are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references.