[nifi-site] branch main updated: NIFI-10113 - Fixed mitigation on NiFi security page.

Wed, 15 Jun 2022 08:41:12 -0700 

This is an automated email from the ASF dual-hosted git repository.

thenatog pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi-site.git


The following commit(s) were added to refs/heads/main by this push:
     new 9452fa7  NIFI-10113 - Fixed mitigation on NiFi security page.
9452fa7 is described below

commit 9452fa75f6247b1283fe70083442ff7f3538d8a8
Author: Nathan Gough <[email protected]>
AuthorDate: Wed Jun 15 11:40:40 2022 -0400

    NIFI-10113 - Fixed mitigation on NiFi security page.
---
 src/pages/html/security.hbs | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/pages/html/security.hbs b/src/pages/html/security.hbs
index 5c3293c..fc419a6 100644
--- a/src/pages/html/security.hbs
+++ b/src/pages/html/security.hbs
@@ -68,15 +68,20 @@ title: Apache NiFi Security Reports
     <div class="large-12 columns">
         <p><a id="CVE-2022-33140" 
href="#CVE-2022-33140"><strong>CVE-2022-33140</strong></a>: Improper 
Neutralization of Command Elements in Shell User Group Provider</p>
         <p>Severity: <strong>High</strong></p>
-        <p>Products Affected: Apache NiFi, Apache NiFi Registry</p>
+        <p>Products Affected:</p>
+        <ul>
+            <li>Apache NiFi</li>
+            <li>Apache NiFi Registry</li>
+        </ul>
         <p>Versions Affected:</p>
         <ul>
-            <li>This issue affects Apache NiFi 1.10.0 to 1.16.2 on Linux and 
macOS. This issue also affects Apache NiFi Registry 0.6.0 to 1.16.2 on Linux 
and macOS.</li>
+            <li>This issue affects Apache NiFi 1.10.0 to 1.16.2 on Linux and 
macOS.</li>
+            <li>This issue affects Apache NiFi Registry 0.6.0 to 1.16.2 on 
Linux and macOS.</li>
         </ul>
         </p>
         <p>Description: The optional ShellUserGroupProvider in Apache NiFi 
1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not neutralize 
arguments for group resolution commands, allowing injection of operating system 
commands on Linux and macOS platforms.</p>
         <p>The ShellUserGroupProvider is not included in the default 
configuration. Command injection requires ShellUserGroupProvider to be one of 
the enabled User Group Providers in the Authorizers configuration. Command 
injection also requires an authenticated user with elevated privileges. Apache 
NiFi requires an authenticated user with authorization to modify access 
policies to execute the command. Apache NiFi Registry requires an authenticated 
user with authorization to read user gr [...]
-        <p>Mitigation: Upgrading to NiFi 1.16.1 disables Document Type 
Declarations in the default configuration for these processors, and disallows 
XML External Entity resolution in standard services.</p>
+        <p>Mitigation: NiFi and NiFi Registry version 1.16.3 has completely 
removed the shell commands from the ShellUserGroupProvider that received user 
arguments.</p>
         <p>Credit: This issue was discovered by an anonymous reporter</p>
         <p>CVE Link: <a 
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33140"; 
target="_blank">Mitre Database CVE-2022-33140</a></p>
         <p>NiFi Jira: <a 
href="https://issues.apache.org/jira/browse/NIFI-10114"; 
target="_blank">NIFI-10114</a></p>

Reply via email to