Repository: nifi-site Updated Branches: refs/heads/master fa195c457 -> d38f83452
Added alternating row colors, fixed typo, and added Mitre CVE DB links to security.html. Project: http://git-wip-us.apache.org/repos/asf/nifi-site/repo Commit: http://git-wip-us.apache.org/repos/asf/nifi-site/commit/d38f8345 Tree: http://git-wip-us.apache.org/repos/asf/nifi-site/tree/d38f8345 Diff: http://git-wip-us.apache.org/repos/asf/nifi-site/diff/d38f8345 Branch: refs/heads/master Commit: d38f83452dec5fb9e3a3c42145950da3ea580db2 Parents: fa195c4 Author: Andy LoPresto <[email protected]> Authored: Tue May 22 10:58:05 2018 -0700 Committer: Andy LoPresto <[email protected]> Committed: Tue May 22 10:58:05 2018 -0700 ---------------------------------------------------------------------- src/pages/html/security.hbs | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/nifi-site/blob/d38f8345/src/pages/html/security.hbs ---------------------------------------------------------------------- diff --git a/src/pages/html/security.hbs b/src/pages/html/security.hbs index d4c8c81..02b9731 100644 --- a/src/pages/html/security.hbs +++ b/src/pages/html/security.hbs @@ -62,10 +62,11 @@ title: Apache NiFi Security Reports <p>Description: Malicious XML content could cause information disclosure or remote code execution. </p> <p>Mitigation: The fix to disable external general entity parsing and disallow doctype declarations was applied on the Apache NiFi 1.6.0 release. Users running a prior 1.x release should upgrade to the appropriate release. </p> <p>Credit: This issue was discovered by åç ç¬. </p> + <p>CVE Link: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1309"; target="_blank">Mitre Database: CVE-2018-1309</a></p> <p>Released: April 8, 2018</p> </div> </div> -<div class="row"> +<div class="row" style="background-color: aliceblue"> <div class="large-12 columns"> <p><a id="CVE-2018-1310" href="#CVE-2018-1310"><strong>CVE-2018-1310</strong></a>: Apache NiFi JMS Deserialization issue because of ActiveMQ client vulnerability</p> <p>Severity: <strong>Moderate</strong></p> @@ -77,6 +78,7 @@ title: Apache NiFi Security Reports <p>Description: Malicious JMS content could cause denial of service. See <a href="http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt"; target="_blank">ActiveMQ CVE-2015-5254 announcement</a> for more information. </p> <p>Mitigation: The fix to upgrade the activemq-client library to 5.15.3 was applied on the Apache NiFi 1.6.0 release. Users running a prior 1.x release should upgrade to the appropriate release. </p> <p>Credit: This issue was discovered by åç ç¬. </p> + <p>CVE Link: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1310"; target="_blank">Mitre Database: CVE-2018-1310</a></p> <p>Released: April 8, 2018</p> </div> </div> @@ -92,12 +94,13 @@ title: Apache NiFi Security Reports <p>Description: Spring Security LDAP library was not enforcing credential authentication after TLS handshake negotiation. See <a href="https://nvd.nist.gov/vuln/detail/CVE-2017-8028"; target="_blank">NVD CVE-2017-8028 disclosure</a> for more information. </p> <p>Mitigation: The fix to upgrade the spring-ldap library to 2.3.2.RELEASE+ was applied on the Apache NiFi 1.6.0 release. Users running a prior 1.x release should upgrade to the appropriate release. </p> <p>Credit: This issue was discovered by Matthew Elder. </p> + <p>CVE Link: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8028"; target="_blank">Mitre Database: CVE-2017-8028</a></p> <p>Released: April 8, 2018</p> </div> </div> -<div class="row"> +<div class="row" style="background-color: aliceblue"> <div class="large-12 columns"> - <p><a id="CVE-2018-1324" href="#CVE-2018-1324"><strong>CVE-2018-1324</strong></a>: Apache NiFi Denial of service issue because of commons-compress vulnerability</p> + <p><a id="CVE-2018-1234" href="#CVE-2018-1234"><strong>CVE-2018-1234</strong></a>: Apache NiFi Denial of service issue because of commons-compress vulnerability</p> <p>Severity: <strong>Low</strong></p> <p>Versions Affected:</p> <ul> @@ -107,6 +110,7 @@ title: Apache NiFi Security Reports <p>Description: A vulnerability in the commons-compress library could cause denial of service. See <a href="https://commons.apache.org/proper/commons-compress/security-reports.html"; target="_blank">commons-compress CVE-2018-1234 announcement</a> for more information. </p> <p>Mitigation: The fix to upgrade the commons-compress library to 1.16.1 was applied on the Apache NiFi 1.6.0 release. Users running a prior 1.x release should upgrade to the appropriate release. </p> <p>Credit: This issue was discovered by Joe Witt. </p> + <p>CVE Link: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1234"; target="_blank">Mitre Database: CVE-2018-1234</a></p> <p>Released: April 8, 2018</p> </div> </div> @@ -128,10 +132,11 @@ title: Apache NiFi Security Reports <p>Description: A malicious host header in an incoming HTTP request could cause NiFi to load resources from an external server. </p> <p>Mitigation: The fix to sanitize host headers and compare to a controlled whitelist was applied on the Apache NiFi 1.5.0 release. Users running a prior 1.x release should upgrade to the appropriate release. </p> <p>Credit: This issue was discovered by Mike Cole. </p> + <p>CVE Link: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12632"; target="_blank">Mitre Database: CVE-2017-12632</a></p> <p>Released: January 12, 2018</p> </div> </div> -<div class="row"> +<div class="row" style="background-color: aliceblue"> <div class="large-12 columns"> <p><a id="CVE-2017-15697" href="#CVE-2017-15697"><strong>CVE-2017-15697</strong></a>: Apache NiFi XSS issue in context path handling</p> <p>Severity: <strong>Moderate</strong></p> @@ -143,6 +148,7 @@ title: Apache NiFi Security Reports <p>Description: A malicious <code>X-ProxyContextPath</code> or <code>X-Forwarded-Context</code> header containing external resources or embedded code could cause remote code execution. </p> <p>Mitigation: The fix to properly handle these headers was applied on the Apache NiFi 1.5.0 release. Users running a prior 1.x release should upgrade to the appropriate release. </p> <p>Credit: This issue was discovered by Andy LoPresto. </p> + <p>CVE Link: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15697"; target="_blank">Mitre Database: CVE-2017-15697</a></p> <p>Released: January 12, 2018</p> </div> </div> @@ -164,10 +170,11 @@ title: Apache NiFi Security Reports <p>Description: <del>An authorized user</del> Any authenticated user (valid client certificate but without ACL permissions) could upload a template which contained malicious code and accessed sensitive files via an XML External Entity (XXE) attack. </p> <p>Mitigation: The fix to properly handle XML External Entities was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should upgrade to the appropriate release. </p> <p>Credit: This issue was discovered by PaweÅ Gocyla and further information was provided by Mike Cole. </p> + <p>CVE Link: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12623"; target="_blank">Mitre Database: CVE-2017-12623</a></p> <p>Released: October 2, 2017 (Updated January 23, 2018)</p> </div> </div> -<div class="row"> +<div class="row" style="background-color: aliceblue"> <div class="large-12 columns"> <p><a id="CVE-2017-15703" href="#CVE-2017-15703"><b>CVE-2017-15703</b></a>: Apache NiFi Java deserialization issue in template XML upload</p> <p>Severity: <strong>Moderate</strong></p> @@ -179,6 +186,7 @@ title: Apache NiFi Security Reports <p>Description: Any authenticated user (valid client certificate but without ACL permissions) could upload a template which contained malicious code and caused a denial of service via Java deserialization attack. </p> <p>Mitigation: The fix to properly handle Java deserialization was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should upgrade to the appropriate release. </p> <p>Credit: This issue was discovered by Mike Cole. </p> + <p>CVE Link: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15703"; target="_blank">Mitre Database: CVE-2017-15703</a></p> <p>Released: October 2, 2017 (Updated January 25, 2018)</p> </div> </div> @@ -205,7 +213,7 @@ title: Apache NiFi Security Reports <p>Released: May 8, 2017 (1.2.0); May 17, 2017 (0.7.3)</p> </div> </div> -<div class="row"> +<div class="row" style="background-color: aliceblue"> <div class="large-12 columns"> <p><a id="CVE-2017-7667" href="#CVE-2017-7667"><b>CVE-2017-7667</b></a>: Apache NiFi XFS issue due to insufficient response headers</p> <p>Severity: <b>Important</b></p> @@ -249,7 +257,7 @@ title: Apache NiFi Security Reports <p>Released: February 20, 2017</p> </div> </div> -<div class="row"> +<div class="row" style="background-color: aliceblue"> <div class="large-12 columns"> <p><a id="CVE-2017-5636" href="#CVE-2017-5636"><b>CVE-2017-5636</b></a>: Apache NiFi User Impersonation In Cluster Environment</p> <p>Severity: <b>Moderate</b></p>
