Cloudera DataFlow fix for CVE-2021-44228

On December 17, 2021, Cloudera released Cloudera DataFlow (CDF) for Public Cloud version 1.0.3-h1-b6. It addresses 2 CVEs and other vulnerability concerns as listed below. Cloudera urges all customers to upgrade their DataFlow services to the latest version.

Upgrade to the latest DataFlow version

To upgrade your DataFlow service to the latest version, which includes fixes for the log4j2 security vulnerability and logback mitigation issues, follow these steps. These steps provide a comprehensive upgrade and are the recommended approach. After completing these steps, no additional action is required.

  1. Terminate running deployments.
  2. Disable DataFlow for an environment.
  3. Enable DataFlow for an environment.
  4. Recreate your deployments.

Result

You are upgraded to the latest version of the DataFlow service and all deployments are running the latest NiFi Runtime.

Upgrade DataFlow deployments to the latest NiFi Runtime

For customers with an enabled DataFlow service 1.0.2 - 1.0.3 who want to address log4j2 CVE mitigation only as an immediate action and not fully disable and recreate DataFlow service and deployments. For each running deployment:

  1. From the DataFlow Dashboard, click Manage Deployment.
  2. Select Change NiFi Version from the Actions drop-down.
  3. Select Latest Version (1.14.0.2.3.2.1-6) and click Apply.

Result

For each DataFlow Deployment, this upgrades the running NiFi cluster to a version of NiFi that includes log4j2 and logback vulnerability mitigation.

After completing these steps, Cloudera recommends that you do plan to upgrade to the latest version of your DataFlow service.