[
https://issues.apache.org/jira/browse/NIFI-10983?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
David Handermann updated NIFI-10983:
------------------------------------
Fix Version/s: 1.20.0
Resolution: Fixed
Status: Resolved (was: Patch Available)
> Update google protobuf-java core to 3.20.3
> ------------------------------------------
>
> Key: NIFI-10983
> URL: https://issues.apache.org/jira/browse/NIFI-10983
> Project: Apache NiFi
> Issue Type: Improvement
> Affects Versions: 1.19.1
> Reporter: Phil Lee
> Assignee: David Handermann
> Priority: Major
> Fix For: 1.20.0
>
>
> Update com.google.protobuf_protobuf-java from 3.20.1 to 3.20.3. This will
> remediate [CVE-2022-3509|https://nvd.nist.gov/vuln/detail/CVE-2022-3509]
> Twistlock scan reported this as high severity vulnerability in NiFi Toolkit
> (which is included in NiFi version 1.19.1).
> Impacted versions: >=3.20.0 and <3.20.3
> Discovered: 2 days ago
> Published: 2 days ago
> A parsing issue similar to CVE-2022-3171, but with textformat in
> protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and
> 3.16.3 can lead to a denial of service attack. Inputs containing multiple
> instances of non-repeated embedded messages with repeated or unknown fields
> causes objects to be converted back-n-forth between mutable and immutable
> forms, resulting in potentially long garbage collection pauses. We recommend
> updating to the versions mentioned above.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
