Hi Bharath, Apache NiFi 1.28.1 includes Apache ZooKeeper 3.9.3, so upgrading to that version would resolve this particular finding. Apache NiFi embedded ZooKeeper does not enable the Admin Server in the default configuration, so Apache NiFi is not directly impacted.
With that being said, as you noted, Apache NiFi 1 is no longer receiving regular updates. There are a number of other dependencies in that version that are also unsupported, so upgrading to Apache NiFi 2 is the best option for maintaining security. Regards, David Handermann On Thu, Feb 27, 2025 at 11:40 AM Chinthala, Bharath Chandra < c-bharathchandra.chinth...@charter.com> wrote: > Hi Everyone, > > I am writing this mail to get your inputs or feedback on one of the > Zookeeper vulnerability CVE-2024-51504 and its impact on NiFi. We are using > NiFi 1.27 version clusters. And the vulnerability affected versions are > Apache Zookeeper 3.9.0 before 3.9.3. > > Our security team raised this vulnerability and asked for upgrade of > Zookeeper. I did my research and got to know we cannot upgrade embedded > zookeeper that comes with NiFi. > > Also, I see Dev support is ended for 1.x except for critical bugs. > > > Is there any solution to fix this? Could you please take a moment and > share your inputs on this. > > More details on Vulnerability can be found here. > https://zookeeper.apache.org/security.html#CVE-2024-51504 > > > > *[image: image005]* > > *Bharath Chandra *| Integration Analyst > IT Centers of Excellence > 13736 Riverport Dr., Maryland Heights, MO 63043 > The contents of this e-mail message and any attachments are intended > solely for the addressee(s) and may contain confidential and/or legally > privileged information. If you are not the intended recipient of this > message or if this message has been addressed to you in error, please > immediately alert the sender by reply e-mail and then delete this message > and any attachments. If you are not the intended recipient, you are > notified that any use, dissemination, distribution, copying, or storage of > this message or any attachment is strictly prohibited. >
