Fixed Common Vulnerabilities and Exposures

Review the list of fixed common vulnerabilities and exposures.

CVE fixed in CFM

The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not neutralize arguments for group resolution commands, allowing injection of operating system commands on Linux and macOS platforms. Command injection requires ShellUserGroupProvider to be one of the enabled User Group Providers in the Authorizers configuration. Command injection also requires an authenticated user with elevated privileges. Apache NiFi requires an authenticated user with authorization to modify access policies to execute the command. Apache NiFi Registry requires an authenticated user with authorization to read user groups to execute the command.

CVEs fixed in CFM 2.1.4

Apache NiFi uses H2 database for storing various NiFi runtime details. H2 database had a critical vulnerability similar to Log4Shell that potentially allows JNDI remote codebase loading. In NiFi, by default, console access to the database is restricted to local machine access only and remote access is disabled, which limits the severity of this vulnerability. More detailed information on the H2 vulnerability can be found in this blog post. Note that the fix for this CVE impacts the list of external databases Cloudera supports for the NiFi Registry instance. See the Support Matrix for more information.
When creating or updating credentials for single-user access, NiFi wrote a copy of the Login Identity Providers configuration to the operating system temporary directory. The Login Identity Providers configuration file contains the username and a bcrypt hash of the configured password. On most platforms, the operating system temporary directory has global read permissions. NiFi immediately moved the temporary file to the final configuration directory, which significantly limited the window of opportunity for access.
The vulnerable jackson-databind dependency allowed a Java stack overflow exception and denial of service through a large depth of nested objects.
Multiple components in Apache NiFi versions 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configuration. The Standard Content Viewer service attempts to resolve XML External Entity references when viewing formatted XML files. The following Processors attempt to resolve XML External Entity references when configured with default property values:
  • EvaluateXPath
  • EvaluateXQuery
  • ValidateXml
Apache NiFi flow configurations that include these processors are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references.