security.html

thenatog Wed, 15 Jun 2022 09:05:59 -0700

Author: thenatog
Date: Wed Jun 15 16:04:25 2022
New Revision: 1901946

URL: http://svn.apache.org/viewvc?rev=1901946&view=rev
Log:
NIFI-10113 - Fixed mitigation on NiFi security page.


Modified:
    nifi/site/trunk/security.html

Modified: nifi/site/trunk/security.html
URL: 
http://svn.apache.org/viewvc/nifi/site/trunk/security.html?rev=1901946&r1=1901945&r2=1901946&view=diff
==============================================================================
--- nifi/site/trunk/security.html (original)
+++ nifi/site/trunk/security.html Wed Jun 15 16:04:25 2022
@@ -174,15 +174,20 @@
     <div class="large-12 columns">
         <p><a id="CVE-2022-33140" 
href="#CVE-2022-33140"><strong>CVE-2022-33140</strong></a>: Improper 
Neutralization of Command Elements in Shell User Group Provider</p>
         <p>Severity: <strong>High</strong></p>
-        <p>Products Affected: Apache NiFi, Apache NiFi Registry</p>
+        <p>Products Affected:</p>
+        <ul>
+            <li>Apache NiFi</li>
+            <li>Apache NiFi Registry</li>
+        </ul>
         <p>Versions Affected:</p>
         <ul>
-            <li>This issue affects Apache NiFi 1.10.0 to 1.16.2 on Linux and 
macOS. This issue also affects Apache NiFi Registry 0.6.0 to 1.16.2 on Linux 
and macOS.</li>
+            <li>This issue affects Apache NiFi 1.10.0 to 1.16.2 on Linux and 
macOS.</li>
+            <li>This issue affects Apache NiFi Registry 0.6.0 to 1.16.2 on 
Linux and macOS.</li>
         </ul>
         </p>
         <p>Description: The optional ShellUserGroupProvider in Apache NiFi 
1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not neutralize 
arguments for group resolution commands, allowing injection of operating system 
commands on Linux and macOS platforms.</p>
         <p>The ShellUserGroupProvider is not included in the default 
configuration. Command injection requires ShellUserGroupProvider to be one of 
the enabled User Group Providers in the Authorizers configuration. Command 
injection also requires an authenticated user with elevated privileges. Apache 
NiFi requires an authenticated user with authorization to modify access 
policies to execute the command. Apache NiFi Registry requires an authenticated 
user with authorization to read user groups to execute the command.</p>
-        <p>Mitigation: Upgrading to NiFi 1.16.1 disables Document Type 
Declarations in the default configuration for these processors, and disallows 
XML External Entity resolution in standard services.</p>
+        <p>Mitigation: NiFi and NiFi Registry version 1.16.3 has completely 
removed the shell commands from the ShellUserGroupProvider that received user 
arguments.</p>
         <p>Credit: This issue was discovered by an anonymous reporter</p>
         <p>CVE Link: <a 
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33140"; 
target="_blank">Mitre Database CVE-2022-33140</a></p>
         <p>NiFi Jira: <a 
href="https://issues.apache.org/jira/browse/NIFI-10114"; 
target="_blank">NIFI-10114</a></p>

svn commit: r1901946 - /nifi/site/trunk/security.html

Reply via email to