[
https://issues.apache.org/jira/browse/NIFI-11484?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17716728#comment-17716728
]
David Handermann commented on NIFI-11484:
-----------------------------------------
The vulnerability is specific to the {{ExtractCCDAAttributes}} Processor, so if
that Processor is not used, the {{nifi-ccda-nar}} can be removed from the
{{lib}} directory. Flow configurations that do not use
{{ExtractCCDAAttributes}} are not vulnerable to CVE-2022-22832.
> Fix CVE-2023-22832: Improper Restriction of XML External Entity References in
> ExtractCCDAAttributes
> ---------------------------------------------------------------------------------------------------
>
> Key: NIFI-11484
> URL: https://issues.apache.org/jira/browse/NIFI-11484
> Project: Apache NiFi
> Issue Type: Improvement
> Affects Versions: 1.19.0, 1.19.1
> Reporter: Jeyassri Balachandran
> Priority: Minor
>
> Backporting the fix from nifi 1.20.
>
> References: https://issues.apache.org/jira/browse/NIFI-11029
>
> The {{ExtractCCDAAttributes}} Processor uses a custom {{CDAUtil}} class to
> load and parse the FlowFile {{{}InputStream{}}}. The {{CDAUtil}} class also
> includes a {{load}} method that takes a standard DOM {{{}Document{}}}. The
> Processor should be updated to use the standard {{nifi-xml-processing}}
> library for parsing the XML prior to calling {{{}CDAUtil.load{}}}.
> In addition to implementing standard XML parsing, the
> {{ExtractCCDAAttributes}} Processor should be deprecated for removal because
> the implementation relies on outdated libraries, and the extensive use of
> FlowFile attributes does not align with best practices for record-oriented
> data handling.
> h4.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
