Author: thenatog Date: Wed Jun 15 16:04:25 2022 New Revision: 1901946 URL: http://svn.apache.org/viewvc?rev=1901946&view=rev Log: NIFI-10113 - Fixed mitigation on NiFi security page.
Modified: nifi/site/trunk/security.html Modified: nifi/site/trunk/security.html URL: http://svn.apache.org/viewvc/nifi/site/trunk/security.html?rev=1901946&r1=1901945&r2=1901946&view=diff ============================================================================== --- nifi/site/trunk/security.html (original) +++ nifi/site/trunk/security.html Wed Jun 15 16:04:25 2022 @@ -174,15 +174,20 @@ <div class="large-12 columns"> <p><a id="CVE-2022-33140" href="#CVE-2022-33140"><strong>CVE-2022-33140</strong></a>: Improper Neutralization of Command Elements in Shell User Group Provider</p> <p>Severity: <strong>High</strong></p> - <p>Products Affected: Apache NiFi, Apache NiFi Registry</p> + <p>Products Affected:</p> + <ul> + <li>Apache NiFi</li> + <li>Apache NiFi Registry</li> + </ul> <p>Versions Affected:</p> <ul> - <li>This issue affects Apache NiFi 1.10.0 to 1.16.2 on Linux and macOS. This issue also affects Apache NiFi Registry 0.6.0 to 1.16.2 on Linux and macOS.</li> + <li>This issue affects Apache NiFi 1.10.0 to 1.16.2 on Linux and macOS.</li> + <li>This issue affects Apache NiFi Registry 0.6.0 to 1.16.2 on Linux and macOS.</li> </ul> </p> <p>Description: The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not neutralize arguments for group resolution commands, allowing injection of operating system commands on Linux and macOS platforms.</p> <p>The ShellUserGroupProvider is not included in the default configuration. Command injection requires ShellUserGroupProvider to be one of the enabled User Group Providers in the Authorizers configuration. Command injection also requires an authenticated user with elevated privileges. Apache NiFi requires an authenticated user with authorization to modify access policies to execute the command. Apache NiFi Registry requires an authenticated user with authorization to read user groups to execute the command.</p> - <p>Mitigation: Upgrading to NiFi 1.16.1 disables Document Type Declarations in the default configuration for these processors, and disallows XML External Entity resolution in standard services.</p> + <p>Mitigation: NiFi and NiFi Registry version 1.16.3 has completely removed the shell commands from the ShellUserGroupProvider that received user arguments.</p> <p>Credit: This issue was discovered by an anonymous reporter</p> <p>CVE Link: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33140" target="_blank">Mitre Database CVE-2022-33140</a></p> <p>NiFi Jira: <a href="https://issues.apache.org/jira/browse/NIFI-10114" target="_blank">NIFI-10114</a></p>