Author: alopresto
Date: Tue May 22 17:59:58 2018
New Revision: 1832051
URL: http://svn.apache.org/viewvc?rev=1832051&view=rev
Log:
Added Mitre links and fixed typo on security.html.
Modified:
nifi/site/trunk/security.html
Modified: nifi/site/trunk/security.html
URL:
http://svn.apache.org/viewvc/nifi/site/trunk/security.html?rev=1832051&r1=1832050&r2=1832051&view=diff
==============================================================================
--- nifi/site/trunk/security.html (original)
+++ nifi/site/trunk/security.html Tue May 22 17:59:58 2018
@@ -163,10 +163,11 @@
<p>Description: Malicious XML content could cause information
disclosure or remote code execution. </p>
<p>Mitigation: The fix to disable external general entity parsing and
disallow doctype declarations was applied on the Apache NiFi 1.6.0 release.
Users running a prior 1.x release should upgrade to the appropriate release.
</p>
<p>Credit: This issue was discovered by åç ç¬. </p>
+ <p>CVE Link: <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1309";
target="_blank">Mitre Database: CVE-2018-1309</a></p>
<p>Released: April 8, 2018</p>
</div>
</div>
-<div class="row">
+<div class="row" style="background-color: aliceblue">
<div class="large-12 columns">
<p><a id="CVE-2018-1310"
href="#CVE-2018-1310"><strong>CVE-2018-1310</strong></a>: Apache NiFi JMS
Deserialization issue because of ActiveMQ client vulnerability</p>
<p>Severity: <strong>Moderate</strong></p>
@@ -178,6 +179,7 @@
<p>Description: Malicious JMS content could cause denial of service.
See <a
href="http://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt";
target="_blank">ActiveMQ CVE-2015-5254 announcement</a> for more information.
</p>
<p>Mitigation: The fix to upgrade the activemq-client library to
5.15.3 was applied on the Apache NiFi 1.6.0 release. Users running a prior 1.x
release should upgrade to the appropriate release. </p>
<p>Credit: This issue was discovered by åç ç¬. </p>
+ <p>CVE Link: <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1310";
target="_blank">Mitre Database: CVE-2018-1310</a></p>
<p>Released: April 8, 2018</p>
</div>
</div>
@@ -193,12 +195,13 @@
<p>Description: Spring Security LDAP library was not enforcing
credential authentication after TLS handshake negotiation. See <a
href="https://nvd.nist.gov/vuln/detail/CVE-2017-8028"; target="_blank">NVD
CVE-2017-8028 disclosure</a> for more information. </p>
<p>Mitigation: The fix to upgrade the spring-ldap library to
2.3.2.RELEASE+ was applied on the Apache NiFi 1.6.0 release. Users running a
prior 1.x release should upgrade to the appropriate release. </p>
<p>Credit: This issue was discovered by Matthew Elder. </p>
+ <p>CVE Link: <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8028";
target="_blank">Mitre Database: CVE-2017-8028</a></p>
<p>Released: April 8, 2018</p>
</div>
</div>
-<div class="row">
+<div class="row" style="background-color: aliceblue">
<div class="large-12 columns">
- <p><a id="CVE-2018-1324"
href="#CVE-2018-1324"><strong>CVE-2018-1324</strong></a>: Apache NiFi Denial of
service issue because of commons-compress vulnerability</p>
+ <p><a id="CVE-2018-1234"
href="#CVE-2018-1234"><strong>CVE-2018-1234</strong></a>: Apache NiFi Denial of
service issue because of commons-compress vulnerability</p>
<p>Severity: <strong>Low</strong></p>
<p>Versions Affected:</p>
<ul>
@@ -208,6 +211,7 @@
<p>Description: A vulnerability in the commons-compress library could
cause denial of service. See <a
href="https://commons.apache.org/proper/commons-compress/security-reports.html";
target="_blank">commons-compress CVE-2018-1234 announcement</a> for more
information. </p>
<p>Mitigation: The fix to upgrade the commons-compress library to
1.16.1 was applied on the Apache NiFi 1.6.0 release. Users running a prior 1.x
release should upgrade to the appropriate release. </p>
<p>Credit: This issue was discovered by Joe Witt. </p>
+ <p>CVE Link: <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1234";
target="_blank">Mitre Database: CVE-2018-1234</a></p>
<p>Released: April 8, 2018</p>
</div>
</div>
@@ -229,10 +233,11 @@
<p>Description: A malicious host header in an incoming HTTP request
could cause NiFi to load resources from an external server. </p>
<p>Mitigation: The fix to sanitize host headers and compare to a
controlled whitelist was applied on the Apache NiFi 1.5.0 release. Users
running a prior 1.x release should upgrade to the appropriate release. </p>
<p>Credit: This issue was discovered by Mike Cole. </p>
+ <p>CVE Link: <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12632";
target="_blank">Mitre Database: CVE-2017-12632</a></p>
<p>Released: January 12, 2018</p>
</div>
</div>
-<div class="row">
+<div class="row" style="background-color: aliceblue">
<div class="large-12 columns">
<p><a id="CVE-2017-15697"
href="#CVE-2017-15697"><strong>CVE-2017-15697</strong></a>: Apache NiFi XSS
issue in context path handling</p>
<p>Severity: <strong>Moderate</strong></p>
@@ -244,6 +249,7 @@
<p>Description: A malicious <code>X-ProxyContextPath</code> or
<code>X-Forwarded-Context</code> header containing external resources or
embedded code could cause remote code execution. </p>
<p>Mitigation: The fix to properly handle these headers was applied on
the Apache NiFi 1.5.0 release. Users running a prior 1.x release should upgrade
to the appropriate release. </p>
<p>Credit: This issue was discovered by Andy LoPresto. </p>
+ <p>CVE Link: <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15697";
target="_blank">Mitre Database: CVE-2017-15697</a></p>
<p>Released: January 12, 2018</p>
</div>
</div>
@@ -265,10 +271,11 @@
<p>Description: <del>An authorized user</del> Any authenticated user
(valid client certificate but without ACL permissions) could upload a template
which contained malicious code and accessed sensitive files via an XML External
Entity (XXE) attack. </p>
<p>Mitigation: The fix to properly handle XML External Entities was
applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release
should upgrade to the appropriate release. </p>
<p>Credit: This issue was discovered by PaweÅ Gocyla and further
information was provided by Mike Cole. </p>
+ <p>CVE Link: <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12623";
target="_blank">Mitre Database: CVE-2017-12623</a></p>
<p>Released: October 2, 2017 (Updated January 23, 2018)</p>
</div>
</div>
-<div class="row">
+<div class="row" style="background-color: aliceblue">
<div class="large-12 columns">
<p><a id="CVE-2017-15703"
href="#CVE-2017-15703"><b>CVE-2017-15703</b></a>: Apache NiFi Java
deserialization issue in template XML upload</p>
<p>Severity: <strong>Moderate</strong></p>
@@ -280,6 +287,7 @@
<p>Description: Any authenticated user (valid client certificate but
without ACL permissions) could upload a template which contained malicious code
and caused a denial of service via Java deserialization attack. </p>
<p>Mitigation: The fix to properly handle Java deserialization was
applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release
should upgrade to the appropriate release. </p>
<p>Credit: This issue was discovered by Mike Cole. </p>
+ <p>CVE Link: <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15703";
target="_blank">Mitre Database: CVE-2017-15703</a></p>
<p>Released: October 2, 2017 (Updated January 25, 2018)</p>
</div>
</div>
@@ -306,7 +314,7 @@
<p>Released: May 8, 2017 (1.2.0); May 17, 2017 (0.7.3)</p>
</div>
</div>
-<div class="row">
+<div class="row" style="background-color: aliceblue">
<div class="large-12 columns">
<p><a id="CVE-2017-7667"
href="#CVE-2017-7667"><b>CVE-2017-7667</b></a>: Apache NiFi XFS issue due to
insufficient response headers</p>
<p>Severity: <b>Important</b></p>
@@ -350,7 +358,7 @@
<p>Released: February 20, 2017</p>
</div>
</div>
-<div class="row">
+<div class="row" style="background-color: aliceblue">
<div class="large-12 columns">
<p><a id="CVE-2017-5636"
href="#CVE-2017-5636"><b>CVE-2017-5636</b></a>: Apache NiFi User Impersonation
In Cluster Environment</p>
<p>Severity: <b>Moderate</b></p>
