Hi Tristan, Although NiFi 1.15.3 and earlier include Spring Framework libraries identified with CVE-2022-22965, initial research suggests that NiFi is not impacted.
NiFi and NiFi Registry use Jetty, whereas the vulnerability requires running applications on Apache Tomcat. The vulnerability also involves data binding connected with spring-webmvc and spring-webflux, but NiFi uses JAX-RS with Jersey for REST request handling. If further research uncovers additional attack vectors, that could change the analysis. NiFi has already upgraded the current main branch to use Spring Framework 5.3.18 and Spring Boot 2.6.6, which will be incorporated in upcoming releases. Please see the following NiFi Jira issue for additional details regarding the upgrade and background on the vulnerability: https://issues.apache.org/jira/browse/NIFI-9852 Regards, David Handermann On Thu, Mar 31, 2022 at 7:38 PM Tristan Steele <trste...@redhat.com> wrote: > Good Day, > > I've been reading through some of the information that is now available > about the recently reported remote code execution vulnerability in the > Spring framework and it appears that a vulnerable version of this library > is part of the 1.15.3 release? > > Is it known yet if this library is used in a way that makes it vulnerable > to exploitation? Will there likely be a new release that updates this > dependency to one that is not affected? > > Thanks in advance for any assistance on this one, > Tristan >
