Apache NiFi PMC would like to announce the discovery and resolution of CVE-2020-9486, CVE-2020-9487, CVE-2020-9491, and CVE-2020-13940. These issues have been resolved and a new version of the Apache NiFi project was released in accordance with the Apache Release Process.
Apache NiFi is an easy to use, powerful, and reliable system to process and distribute data. It supports powerful and scalable directed graphs of data routing, transformation, and system mediation logic. Fixed in Apache NiFi 1.12.0 (Released: August 18, 2020) CVE-2020-9486: Apache NiFi information disclosure in logs Severity: Important Versions Affected: Apache NiFi 1.10.0 - 1.11.4 Description: The NiFi stateless execution engine produced log output which included sensitive property values. When a flow was triggered, the flow definition configuration JSON was printed, potentially containing sensitive values in plaintext. Mitigation: Implemented Argon2 secure hashing to provide a deterministic loggable value which does not reveal the sensitive value. Users running any previous NiFi release should upgrade to the latest release. Credit: This issue was discovered by Andy LoPresto and Pierre Villard. CVE-2020-9487: Apache NiFi denial of service Severity: Important Versions Affected: Apache NiFi 1.0.0 - 1.11.4 Description: The NiFi download token (one-time password) mechanism used a fixed cache size and did not authenticate a request to create a download token, only when attempting to use the token to access the content. An unauthenticated user could repeatedly request download tokens, preventing legitimate users from requesting download tokens. Mitigation: Disabled anonymous authentication, implemented a multi-indexed cache, and limited token creation requests to one concurrent request per user. Users running any previous NiFi release should upgrade to the latest release. Credit: This issue was discovered by Dennis Detering (IT Security Consultant at Spike Reply). CVE-2020-9491: Apache NiFi use of weak TLS protocols Severity: Critical Versions Affected: Apache NiFi 1.2.0 - 1.11.4 Description: The NiFi UI and API were protected by mandating TLS v1.2, as well as listening connections established by processors like ListenHTTP, HandleHttpRequest, etc. However intracluster communication such as cluster request replication, Site-to-Site, and load balanced queues continued to support TLS v1.0 or v1.1. Mitigation: Refactored disparate internal SSL and TLS code, reducing exposure for extension and framework developers to low-level primitives. Added support for TLS v1.3 on supporting JVMs. Restricted all incoming TLS communications to TLS v1.2+. Users running any previous NiFi release should upgrade to the latest release. Credit: This issue was discovered by Juan Carlos Sequeiros and Andy LoPresto. CVE-2020-13940: Apache NiFi information disclosure by XXE Severity: Low Versions Affected: Apache NiFi 1.0.0 - 1.11.4 Description: The notification service manager and various policy authorizer and user group provider objects allowed trusted administrators to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE). Mitigation: An XML validator was introduced to prevent malicious code from being parsed and executed. Users running any previous NiFi release should upgrade to the latest release. Credit: This issue was discovered by Matt Burgess and Andy LoPresto. For more information: https://nifi.apache.org/security.html <https://nifi.apache.org/security.html> Andy LoPresto [email protected] [email protected] He/Him PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69
