Author: thenatog
Date: Thu Jan 13 17:32:24 2022
New Revision: 1897010
URL: http://svn.apache.org/viewvc?rev=1897010&view=rev
Log:
Updated security page to include some details about the latest h2 database
vulnerability which does not appear to affect NiFi and its usage
Modified:
nifi/site/trunk/security.html
Modified: nifi/site/trunk/security.html
URL:
http://svn.apache.org/viewvc/nifi/site/trunk/security.html?rev=1897010&r1=1897009&r2=1897010&view=diff
==============================================================================
--- nifi/site/trunk/security.html (original)
+++ nifi/site/trunk/security.html Thu Jan 13 17:32:24 2022
@@ -218,6 +218,22 @@
<p>Released: December 15, 2021</p>
</div>
</div>
+<div class="row" style="background-color: aliceblue">
+ <div class="large-12 columns">
+ <p><a id="CVE-2021-23463"
href="#CVE-2021-23463"><strong>CVE-2021-23463</strong></a>: Apache NiFi's use
of H2 database</p>
+ <p>Severity: <strong>None</strong></p>
+ <p>Versions Affected:</p>
+ <ul>
+ <li>Apache NiFi 1.13.0 - 1.15.x</li>
+ </ul>
+ </p>
+ <p>Description: For posterity we will note here that Apache NiFi uses
H2 database v1.4.199 which was announced to contain CVE-2021-23463. Upon
investigation, we have found that NiFi's usage of H2 is
+ limited in scope, generally to authentication mechanisms which
have clearly defined usages that do not include usages of the vulnerable
org.h2.jdbc.JdbcResultSet.getSQLXML() method. For more information on this H2
vulnerability, see <a href="https://nvd.nist.gov/vuln/detail/CVE-2021-23463";
target="_blank">NIST NVD CVE-2021-23463</a>. </p>
+ <p>Mitigation: We are working to develop an upgrade path for NiFi to a
fixed version of the H2 dependency, which will resolve flagging this issue on
CVE scans.</p>
+ <p>CVE Link: <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23463";
target="_blank">Mitre Database: CVE-2021-23463</a></p>
+ <p>Released: December 15, 2021</p>
+ </div>
+</div>
<div class="medium-space"></div>
<div class="row">
<div class="large-12 columns features">
