The Apache NiFi PMC would like to announce the following CVE discoveries in 
Apache NiFi 1.0.0 - 1.5.0. These issues were resolved with the release of NiFi 
1.6.0 on April 8, 2018. NiFi is an easy to use, powerful, and reliable system 
to process and distribute data. It supports powerful and scalable directed 
graphs of data routing, transformation, and system mediation logic. For more 
information, see https://nifi.apache.org/security.html 
<https://nifi.apache.org/security.html>.

CVE-2018-1309 <https://nifi.apache.org/security.html#CVE-2018-1309>: Apache 
NiFi External XML Entity issue in SplitXML processor

Severity: Moderate

Versions Affected:

Apache NiFi 0.1.0 - 1.5.0
Description: Malicious XML content could cause information disclosure or remote 
code execution.

Mitigation: The fix to disable external general entity parsing and disallow 
doctype declarations was applied on the Apache NiFi 1.6.0 release. Users 
running a prior 1.x release should upgrade to the appropriate release.

Credit: This issue was discovered by 圆珠笔.

CVE Link: Mitre Database: CVE-2018-1309 
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1309>

CVE-2018-1310 <https://nifi.apache.org/security.html#CVE-2018-1310>: Apache 
NiFi JMS Deserialization issue because of ActiveMQ client vulnerability

Severity: Moderate

Versions Affected:

Apache NiFi 0.1.0 - 1.5.0
Description: Malicious JMS content could cause denial of service. See ActiveMQ 
CVE-2015-5254 announcement 
<http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt>
 for more information.

Mitigation: The fix to upgrade the activemq-client library to 5.15.3 was 
applied on the Apache NiFi 1.6.0 release. Users running a prior 1.x release 
should upgrade to the appropriate release.

Credit: This issue was discovered by 圆珠笔.

CVE Link: Mitre Database: CVE-2018-1310 
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1310>

CVE-2017-8028 <https://nifi.apache.org/security.html#CVE-2017-8028>: Apache 
NiFi LDAP TLS issue because of Spring Security LDAP vulnerability

Severity: Severe

Versions Affected:

Apache NiFi 0.1.0 - 1.5.0
Description: Spring Security LDAP library was not enforcing credential 
authentication after TLS handshake negotiation. See NVD CVE-2017-8028 
disclosure <https://nvd.nist.gov/vuln/detail/CVE-2017-8028> for more 
information.

Mitigation: The fix to upgrade the spring-ldap library to 2.3.2.RELEASE+ was 
applied on the Apache NiFi 1.6.0 release. Users running a prior 1.x release 
should upgrade to the appropriate release.

Credit: This issue was discovered by Matthew Elder.

CVE Link: Mitre Database: CVE-2017-8028 
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8028>

CVE-2018-1324 <https://nifi.apache.org/security.html#CVE-2018-1324>: Apache 
NiFi Denial of service issue because of commons-compress vulnerability

Severity: Low

Versions Affected:

Apache NiFi 0.1.0 - 1.5.0
Description: A vulnerability in the commons-compress library could cause denial 
of service. See commons-compress CVE-2018-1324 announcement 
<https://commons.apache.org/proper/commons-compress/security-reports.html> for 
more information.

Mitigation: The fix to upgrade the commons-compress library to 1.16.1 was 
applied on the Apache NiFi 1.6.0 release. Users running a prior 1.x release 
should upgrade to the appropriate release.

Credit: This issue was discovered by Joe Witt.

CVE Link: Mitre Database: CVE-2018-1324 
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1324>


Andy LoPresto
alopre...@apache.org
alopresto.apa...@gmail.com
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

Reply via email to