[nifi] branch main updated: NIFI-10087 Implemented UDPEventRecordSink
This is an automated email from the ASF dual-hosted git repository. greyp pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new 07bbcb771e NIFI-10087 Implemented UDPEventRecordSink 07bbcb771e is described below commit 07bbcb771e537c10f96d1d9246cc6aa66be0a1e0 Author: exceptionfactory AuthorDate: Fri Jun 3 20:37:50 2022 -0500 NIFI-10087 Implemented UDPEventRecordSink This closes #6099 Signed-off-by: Paul Grey --- .../nifi-record-sink-service/pom.xml | 5 + .../nifi/record/sink/event/UDPEventRecordSink.java | 183 + .../org.apache.nifi.controller.ControllerService | 1 + .../record/sink/event/TestUDPEventRecordSink.java | 178 4 files changed, 367 insertions(+) diff --git a/nifi-nar-bundles/nifi-standard-services/nifi-record-sink-service-bundle/nifi-record-sink-service/pom.xml b/nifi-nar-bundles/nifi-standard-services/nifi-record-sink-service-bundle/nifi-record-sink-service/pom.xml index 04fadc254b..ec12d9b5e1 100644 --- a/nifi-nar-bundles/nifi-standard-services/nifi-record-sink-service-bundle/nifi-record-sink-service/pom.xml +++ b/nifi-nar-bundles/nifi-standard-services/nifi-record-sink-service-bundle/nifi-record-sink-service/pom.xml @@ -54,6 +54,11 @@ org.apache.nifi nifi-properties + +org.apache.nifi +nifi-event-transport +1.17.0-SNAPSHOT + org.apache.nifi nifi-mock diff --git a/nifi-nar-bundles/nifi-standard-services/nifi-record-sink-service-bundle/nifi-record-sink-service/src/main/java/org/apache/nifi/record/sink/event/UDPEventRecordSink.java b/nifi-nar-bundles/nifi-standard-services/nifi-record-sink-service-bundle/nifi-record-sink-service/src/main/java/org/apache/nifi/record/sink/event/UDPEventRecordSink.java new file mode 100644 index 00..8fb98855c9 --- /dev/null +++ b/nifi-nar-bundles/nifi-standard-services/nifi-record-sink-service-bundle/nifi-record-sink-service/src/main/java/org/apache/nifi/record/sink/event/UDPEventRecordSink.java @@ -0,0 +1,183 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.nifi.record.sink.event; + +import org.apache.nifi.annotation.documentation.CapabilityDescription; +import org.apache.nifi.annotation.documentation.Tags; +import org.apache.nifi.annotation.lifecycle.OnDisabled; +import org.apache.nifi.annotation.lifecycle.OnEnabled; +import org.apache.nifi.components.PropertyDescriptor; +import org.apache.nifi.controller.AbstractControllerService; +import org.apache.nifi.controller.ConfigurationContext; +import org.apache.nifi.event.transport.EventSender; +import org.apache.nifi.event.transport.configuration.TransportProtocol; +import org.apache.nifi.event.transport.netty.ByteArrayNettyEventSenderFactory; +import org.apache.nifi.expression.ExpressionLanguageScope; +import org.apache.nifi.processor.util.StandardValidators; +import org.apache.nifi.record.sink.RecordSinkService; +import org.apache.nifi.schema.access.SchemaNotFoundException; +import org.apache.nifi.serialization.RecordSetWriter; +import org.apache.nifi.serialization.RecordSetWriterFactory; +import org.apache.nifi.serialization.WriteResult; +import org.apache.nifi.serialization.record.Record; +import org.apache.nifi.serialization.record.RecordSet; + +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.time.Duration; +import java.util.Arrays; +import java.util.Collections; +import java.util.LinkedHashMap; +import java.util.List; +import java.util.Map; + +/** + * Record Sink Service implementation writes Records and sends a serialized Record to a UDP destination + */ +@Tags({"UDP", "event", "record", "sink"}) +@CapabilityDescription("Format and send Records as UDP Datagram Packets to a configurable destination") +public class UDPEventRecordSink extends AbstractControllerService implements RecordSinkService { + +public static final PropertyDescriptor HOSTNAME = new PropertyDescriptor.Builder() +.name("hostname") +.displayName("Hostname") +
[nifi] branch main updated: NIFI-10119 Upgraded test hadoop-minikdc from 3.1.0 to 3.3.3
This is an automated email from the ASF dual-hosted git repository. exceptionfactory pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/main by this push: new 1f2820a39a NIFI-10119 Upgraded test hadoop-minikdc from 3.1.0 to 3.3.3 1f2820a39a is described below commit 1f2820a39a3720b25bf0e19f07e83da58fdfa639 Author: UcanInfosec <107478475+ucaninfo...@users.noreply.github.com> AuthorDate: Wed Jun 15 09:49:25 2022 -0400 NIFI-10119 Upgraded test hadoop-minikdc from 3.1.0 to 3.3.3 - Corrected JUnit 5 Assetions usage in KerberosUserIT This closes #6129 Signed-off-by: David Handermann --- nifi-commons/nifi-security-kerberos/pom.xml| 2 +- .../apache/nifi/security/krb/KerberosUserIT.java | 35 ++ 2 files changed, 17 insertions(+), 20 deletions(-) diff --git a/nifi-commons/nifi-security-kerberos/pom.xml b/nifi-commons/nifi-security-kerberos/pom.xml index 96b985ab21..7830c03f00 100644 --- a/nifi-commons/nifi-security-kerberos/pom.xml +++ b/nifi-commons/nifi-security-kerberos/pom.xml @@ -43,7 +43,7 @@ org.apache.hadoop hadoop-minikdc -3.1.0 +3.3.3 test diff --git a/nifi-commons/nifi-security-kerberos/src/test/java/org/apache/nifi/security/krb/KerberosUserIT.java b/nifi-commons/nifi-security-kerberos/src/test/java/org/apache/nifi/security/krb/KerberosUserIT.java index a7a3cb1032..1fbf89dcac 100644 --- a/nifi-commons/nifi-security-kerberos/src/test/java/org/apache/nifi/security/krb/KerberosUserIT.java +++ b/nifi-commons/nifi-security-kerberos/src/test/java/org/apache/nifi/security/krb/KerberosUserIT.java @@ -17,7 +17,6 @@ package org.apache.nifi.security.krb; import org.apache.nifi.logging.ComponentLog; -import org.apache.nifi.processor.ProcessContext; import org.junit.jupiter.api.BeforeAll; import org.junit.jupiter.api.Test; import org.junit.jupiter.api.io.TempDir; @@ -26,7 +25,6 @@ import org.mockito.Mockito; import javax.security.auth.Subject; import javax.security.auth.kerberos.KerberosPrincipal; import javax.security.auth.kerberos.KerberosTicket; -import javax.security.auth.login.LoginException; import java.io.File; import java.nio.file.Path; import java.security.AccessControlContext; @@ -38,9 +36,9 @@ import java.util.Set; import java.util.concurrent.TimeUnit; import java.util.concurrent.atomic.AtomicReference; -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertFalse; -import static org.junit.Assert.assertTrue; +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertFalse; +import static org.junit.jupiter.api.Assertions.assertTrue; import static org.junit.jupiter.api.Assertions.assertThrows; public class KerberosUserIT { @@ -77,23 +75,23 @@ public class KerberosUserIT { } @Test -public void testKeytabUserSuccessfulLoginAndLogout() throws LoginException { +public void testKeytabUserSuccessfulLoginAndLogout() { // perform login for user1 -final KerberosUser user1 = new KerberosKeytabUser(principal1.getName(), principal1KeytabFile.getAbsolutePath()); +final KerberosKeytabUser user1 = new KerberosKeytabUser(principal1.getName(), principal1KeytabFile.getAbsolutePath()); user1.login(); // perform login for user2 -final KerberosUser user2 = new KerberosKeytabUser(principal2.getName(), principal2KeytabFile.getAbsolutePath()); +final KerberosKeytabUser user2 = new KerberosKeytabUser(principal2.getName(), principal2KeytabFile.getAbsolutePath()); user2.login(); // verify user1 Subject only has user1 principal -final Subject user1Subject = ((KerberosKeytabUser) user1).getSubject(); +final Subject user1Subject = user1.getSubject(); final Set user1SubjectPrincipals = user1Subject.getPrincipals(); assertEquals(1, user1SubjectPrincipals.size()); assertEquals(principal1.getName(), user1SubjectPrincipals.iterator().next().getName()); // verify user2 Subject only has user2 principal -final Subject user2Subject = ((KerberosKeytabUser) user2).getSubject(); +final Subject user2Subject = user2.getSubject(); final Set user2SubjectPrincipals = user2Subject.getPrincipals(); assertEquals(1, user2SubjectPrincipals.size()); assertEquals(principal2.getName(), user2SubjectPrincipals.iterator().next().getName()); @@ -115,17 +113,17 @@ public class KerberosUserIT { public void testKeytabLoginWithUnknownPrincipal() { final String unknownPrincipal = "doesnotexist@" + kdc.getRealm(); final KerberosUser user1 = new KerberosKeytabUser(unknownPrincipal, principal1KeytabFile.getAbsolutePath()); -assertThrows(Exception.class, () ->
[nifi-maven] branch dependabot/maven/com.puppycrawl.tools-checkstyle-8.29 created (now 37503e3)
This is an automated email from the ASF dual-hosted git repository. github-bot pushed a change to branch dependabot/maven/com.puppycrawl.tools-checkstyle-8.29 in repository https://gitbox.apache.org/repos/asf/nifi-maven.git at 37503e3 Bump checkstyle from 6.5 to 8.29 No new revisions were added by this update.
[nifi-maven] branch main updated: NIFI-10011 Recursively look for provided API implementations
This is an automated email from the ASF dual-hosted git repository. kdoran pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi-maven.git The following commit(s) were added to refs/heads/main by this push: new 03d924c NIFI-10011 Recursively look for provided API implementations 03d924c is described below commit 03d924c1028bbb10792f045fe8cb0f5c670f36ae Author: Bryan Bende AuthorDate: Tue May 10 13:57:35 2022 -0400 NIFI-10011 Recursively look for provided API implementations --- .../extraction/ExtensionDefinitionFactory.java | 26 ++ 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/src/main/java/org/apache/nifi/extension/definition/extraction/ExtensionDefinitionFactory.java b/src/main/java/org/apache/nifi/extension/definition/extraction/ExtensionDefinitionFactory.java index d632d19..5e51614 100644 --- a/src/main/java/org/apache/nifi/extension/definition/extraction/ExtensionDefinitionFactory.java +++ b/src/main/java/org/apache/nifi/extension/definition/extraction/ExtensionDefinitionFactory.java @@ -83,22 +83,30 @@ public class ExtensionDefinitionFactory { final Set serviceApis = new HashSet<>(); final Class controllerServiceClass = Class.forName("org.apache.nifi.controller.ControllerService", false, extensionClassLoader); +addProvidedServiceAPIs(controllerServiceClass, extensionClass, serviceApis); +return serviceApis; +} -for (final Class implementedInterface : extensionClass.getInterfaces()) { -if (controllerServiceClass.isAssignableFrom(implementedInterface)) { -final ClassLoader interfaceClassLoader = implementedInterface.getClassLoader(); -if (interfaceClassLoader instanceof ExtensionClassLoader) { -final Artifact interfaceNarArtifact = ((ExtensionClassLoader) interfaceClassLoader).getNarArtifact(); +private void addProvidedServiceAPIs(final Class controllerServiceClass, final Class extensionClass, final Set serviceApis) { +if (extensionClass.getInterfaces() != null) { +for (final Class implementedInterface : extensionClass.getInterfaces()) { +if (controllerServiceClass.isAssignableFrom(implementedInterface) && !controllerServiceClass.equals(implementedInterface)) { +final ClassLoader interfaceClassLoader = implementedInterface.getClassLoader(); +if (interfaceClassLoader instanceof ExtensionClassLoader) { +final Artifact interfaceNarArtifact = ((ExtensionClassLoader) interfaceClassLoader).getNarArtifact(); -final ServiceAPIDefinition serviceDefinition = new StandardServiceAPIDefinition(implementedInterface.getName(), -interfaceNarArtifact.getGroupId(), interfaceNarArtifact.getArtifactId(), interfaceNarArtifact.getBaseVersion()); +final ServiceAPIDefinition serviceDefinition = new StandardServiceAPIDefinition(implementedInterface.getName(), +interfaceNarArtifact.getGroupId(), interfaceNarArtifact.getArtifactId(), interfaceNarArtifact.getBaseVersion()); -serviceApis.add(serviceDefinition); +serviceApis.add(serviceDefinition); +} } } } -return serviceApis; +if (extensionClass.getSuperclass() != null) { +addProvidedServiceAPIs(controllerServiceClass, extensionClass.getSuperclass(), serviceApis); +} } private Set discoverClassNames(final String extensionType) throws IOException {
[nifi-maven] 01/02: [NIFI-9856] make build reproducible
This is an automated email from the ASF dual-hosted git repository. kdoran pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi-maven.git commit 015de63ba3718369ff99323f3b4904471d9b7f72 Author: Hervé Boutemy AuthorDate: Thu Mar 31 19:03:37 2022 +0200 [NIFI-9856] make build reproducible --- pom.xml | 40 +--- 1 file changed, 9 insertions(+), 31 deletions(-) diff --git a/pom.xml b/pom.xml index ae660fd..4dd942c 100644 --- a/pom.xml +++ b/pom.xml @@ -18,7 +18,7 @@ org.apache apache -17 +25 org.apache.nifi @@ -74,11 +74,12 @@ https://issues.apache.org/jira/browse/NIFI -1.7 -1.7 +1.8 +1.8 3.1.0 UTF-8 UTF-8 + 2022-02-17T22:08:13Z 2014 @@ -95,11 +96,6 @@ true - -org.apache.maven.plugins -maven-war-plugin -2.5 - org.apache.maven.plugins maven-dependency-plugin @@ -122,12 +118,12 @@ org.apache.maven.plugins maven-source-plugin -2.4 +3.2.1 org.apache.maven.plugins maven-jar-plugin -2.5 +3.2.2 org.apache.maven.plugins @@ -146,9 +142,9 @@ org.apache.maven.plugins maven-release-plugin -2.5.1 +3.0.0-M5 -true +false apache-release true deploy @@ -168,16 +164,6 @@ - -org.codehaus.mojo -rpm-maven-plugin -2.1.1 - - -org.antlr -antlr3-maven-plugin -3.5.2 - org.apache.maven.plugins maven-checkstyle-plugin @@ -360,14 +346,6 @@ - -org.apache.maven.plugins -maven-compiler-plugin - -8 -8 - - @@ -402,7 +380,7 @@ just to simplify the dependencies list. --> org.apache.maven.plugins maven-jar-plugin -2.5 +3.2.2 org.apache.maven.plugin-tools
[nifi-maven] branch main updated (1285f4b -> 8a50344)
This is an automated email from the ASF dual-hosted git repository. kdoran pushed a change to branch main in repository https://gitbox.apache.org/repos/asf/nifi-maven.git from 1285f4b Merge branch 'nifi-maven-1.3.3-rc1' into main new 015de63 [NIFI-9856] make build reproducible new 8a50344 [NIFI-9857] make output reproducible The 2 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: pom.xml| 67 -- src/main/java/org/apache/nifi/NarMojo.java | 41 ++ 2 files changed, 59 insertions(+), 49 deletions(-)
svn commit: r1901946 - /nifi/site/trunk/security.html
Author: thenatog Date: Wed Jun 15 16:04:25 2022 New Revision: 1901946 URL: http://svn.apache.org/viewvc?rev=1901946=rev Log: NIFI-10113 - Fixed mitigation on NiFi security page. Modified: nifi/site/trunk/security.html Modified: nifi/site/trunk/security.html URL: http://svn.apache.org/viewvc/nifi/site/trunk/security.html?rev=1901946=1901945=1901946=diff == --- nifi/site/trunk/security.html (original) +++ nifi/site/trunk/security.html Wed Jun 15 16:04:25 2022 @@ -174,15 +174,20 @@ CVE-2022-33140: Improper Neutralization of Command Elements in Shell User Group Provider Severity: High -Products Affected: Apache NiFi, Apache NiFi Registry +Products Affected: + +Apache NiFi +Apache NiFi Registry + Versions Affected: -This issue affects Apache NiFi 1.10.0 to 1.16.2 on Linux and macOS. This issue also affects Apache NiFi Registry 0.6.0 to 1.16.2 on Linux and macOS. +This issue affects Apache NiFi 1.10.0 to 1.16.2 on Linux and macOS. +This issue affects Apache NiFi Registry 0.6.0 to 1.16.2 on Linux and macOS. Description: The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not neutralize arguments for group resolution commands, allowing injection of operating system commands on Linux and macOS platforms. The ShellUserGroupProvider is not included in the default configuration. Command injection requires ShellUserGroupProvider to be one of the enabled User Group Providers in the Authorizers configuration. Command injection also requires an authenticated user with elevated privileges. Apache NiFi requires an authenticated user with authorization to modify access policies to execute the command. Apache NiFi Registry requires an authenticated user with authorization to read user groups to execute the command. -Mitigation: Upgrading to NiFi 1.16.1 disables Document Type Declarations in the default configuration for these processors, and disallows XML External Entity resolution in standard services. +Mitigation: NiFi and NiFi Registry version 1.16.3 has completely removed the shell commands from the ShellUserGroupProvider that received user arguments. Credit: This issue was discovered by an anonymous reporter CVE Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33140; target="_blank">Mitre Database CVE-2022-33140 NiFi Jira: https://issues.apache.org/jira/browse/NIFI-10114; target="_blank">NIFI-10114
[nifi-site] branch main updated: NIFI-10113 - Fixed mitigation on NiFi security page.
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi-site.git The following commit(s) were added to refs/heads/main by this push: new 9452fa7 NIFI-10113 - Fixed mitigation on NiFi security page. 9452fa7 is described below commit 9452fa75f6247b1283fe70083442ff7f3538d8a8 Author: Nathan Gough AuthorDate: Wed Jun 15 11:40:40 2022 -0400 NIFI-10113 - Fixed mitigation on NiFi security page. --- src/pages/html/security.hbs | 11 --- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/src/pages/html/security.hbs b/src/pages/html/security.hbs index 5c3293c..fc419a6 100644 --- a/src/pages/html/security.hbs +++ b/src/pages/html/security.hbs @@ -68,15 +68,20 @@ title: Apache NiFi Security Reports CVE-2022-33140: Improper Neutralization of Command Elements in Shell User Group Provider Severity: High -Products Affected: Apache NiFi, Apache NiFi Registry +Products Affected: + +Apache NiFi +Apache NiFi Registry + Versions Affected: -This issue affects Apache NiFi 1.10.0 to 1.16.2 on Linux and macOS. This issue also affects Apache NiFi Registry 0.6.0 to 1.16.2 on Linux and macOS. +This issue affects Apache NiFi 1.10.0 to 1.16.2 on Linux and macOS. +This issue affects Apache NiFi Registry 0.6.0 to 1.16.2 on Linux and macOS. Description: The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not neutralize arguments for group resolution commands, allowing injection of operating system commands on Linux and macOS platforms. The ShellUserGroupProvider is not included in the default configuration. Command injection requires ShellUserGroupProvider to be one of the enabled User Group Providers in the Authorizers configuration. Command injection also requires an authenticated user with elevated privileges. Apache NiFi requires an authenticated user with authorization to modify access policies to execute the command. Apache NiFi Registry requires an authenticated user with authorization to read user gr [...] -Mitigation: Upgrading to NiFi 1.16.1 disables Document Type Declarations in the default configuration for these processors, and disallows XML External Entity resolution in standard services. +Mitigation: NiFi and NiFi Registry version 1.16.3 has completely removed the shell commands from the ShellUserGroupProvider that received user arguments. Credit: This issue was discovered by an anonymous reporter CVE Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33140; target="_blank">Mitre Database CVE-2022-33140 NiFi Jira: https://issues.apache.org/jira/browse/NIFI-10114; target="_blank">NIFI-10114
svn commit: r1901943 - in /nifi/site/trunk: people.html security.html
Author: thenatog Date: Wed Jun 15 15:20:48 2022 New Revision: 1901943 URL: http://svn.apache.org/viewvc?rev=1901943=rev Log: NIFI-10113 - Updated NiFi security page with details on CVE-2022-33140 Modified: nifi/site/trunk/people.html nifi/site/trunk/security.html Modified: nifi/site/trunk/people.html URL: http://svn.apache.org/viewvc/nifi/site/trunk/people.html?rev=1901943=1901942=1901943=diff == --- nifi/site/trunk/people.html (original) +++ nifi/site/trunk/people.html Wed Jun 15 15:20:48 2022 @@ -435,6 +435,11 @@ Martin Zink + +bsimon +Bence Simon + + Modified: nifi/site/trunk/security.html URL: http://svn.apache.org/viewvc/nifi/site/trunk/security.html?rev=1901943=1901942=1901943=diff == --- nifi/site/trunk/security.html (original) +++ nifi/site/trunk/security.html Wed Jun 15 15:20:48 2022 @@ -161,6 +161,38 @@ +Fixed in Apache NiFi 1.16.3 + + + + + +Vulnerabilities + + + + +CVE-2022-33140: Improper Neutralization of Command Elements in Shell User Group Provider +Severity: High +Products Affected: Apache NiFi, Apache NiFi Registry +Versions Affected: + +This issue affects Apache NiFi 1.10.0 to 1.16.2 on Linux and macOS. This issue also affects Apache NiFi Registry 0.6.0 to 1.16.2 on Linux and macOS. + + +Description: The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not neutralize arguments for group resolution commands, allowing injection of operating system commands on Linux and macOS platforms. +The ShellUserGroupProvider is not included in the default configuration. Command injection requires ShellUserGroupProvider to be one of the enabled User Group Providers in the Authorizers configuration. Command injection also requires an authenticated user with elevated privileges. Apache NiFi requires an authenticated user with authorization to modify access policies to execute the command. Apache NiFi Registry requires an authenticated user with authorization to read user groups to execute the command. +Mitigation: Upgrading to NiFi 1.16.1 disables Document Type Declarations in the default configuration for these processors, and disallows XML External Entity resolution in standard services. +Credit: This issue was discovered by an anonymous reporter +CVE Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33140; target="_blank">Mitre Database CVE-2022-33140 +NiFi Jira: https://issues.apache.org/jira/browse/NIFI-10114; target="_blank">NIFI-10114 +NiFi PR: https://github.com/apache/nifi/pull/6122; target="_blank">PR 6122 +Released: June 15, 2022 + + + + + Fixed in Apache NiFi 1.16.1
[nifi-site] branch main updated: NIFI-10113 - Updated NiFi security page with details on CVE-2022-33140
This is an automated email from the ASF dual-hosted git repository. thenatog pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi-site.git The following commit(s) were added to refs/heads/main by this push: new 7293db3 NIFI-10113 - Updated NiFi security page with details on CVE-2022-33140 7293db3 is described below commit 7293db3394e7c9f8f7604ce16c35f72558aa7c1f Author: Nathan Gough AuthorDate: Wed Jun 15 11:17:30 2022 -0400 NIFI-10113 - Updated NiFi security page with details on CVE-2022-33140 --- src/pages/html/security.hbs | 32 1 file changed, 32 insertions(+) diff --git a/src/pages/html/security.hbs b/src/pages/html/security.hbs index c0d1ae3..5c3293c 100644 --- a/src/pages/html/security.hbs +++ b/src/pages/html/security.hbs @@ -53,6 +53,38 @@ title: Apache NiFi Security Reports + + +Fixed in Apache NiFi 1.16.3 + + + + + +Vulnerabilities + + + + +CVE-2022-33140: Improper Neutralization of Command Elements in Shell User Group Provider +Severity: High +Products Affected: Apache NiFi, Apache NiFi Registry +Versions Affected: + +This issue affects Apache NiFi 1.10.0 to 1.16.2 on Linux and macOS. This issue also affects Apache NiFi Registry 0.6.0 to 1.16.2 on Linux and macOS. + + +Description: The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not neutralize arguments for group resolution commands, allowing injection of operating system commands on Linux and macOS platforms. +The ShellUserGroupProvider is not included in the default configuration. Command injection requires ShellUserGroupProvider to be one of the enabled User Group Providers in the Authorizers configuration. Command injection also requires an authenticated user with elevated privileges. Apache NiFi requires an authenticated user with authorization to modify access policies to execute the command. Apache NiFi Registry requires an authenticated user with authorization to read user gr [...] +Mitigation: Upgrading to NiFi 1.16.1 disables Document Type Declarations in the default configuration for these processors, and disallows XML External Entity resolution in standard services. +Credit: This issue was discovered by an anonymous reporter +CVE Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33140; target="_blank">Mitre Database CVE-2022-33140 +NiFi Jira: https://issues.apache.org/jira/browse/NIFI-10114; target="_blank">NIFI-10114 +NiFi PR: https://github.com/apache/nifi/pull/6122; target="_blank">PR 6122 +Released: June 15, 2022 + + + Fixed in Apache NiFi 1.16.1
[nifi-site] branch main updated: Added Bence Simon to committers list
This is an automated email from the ASF dual-hosted git repository. bsimon pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi-site.git The following commit(s) were added to refs/heads/main by this push: new 3eee097 Added Bence Simon to committers list 3eee097 is described below commit 3eee097edd9aa5b3f3fcd57aa7c74e4d6c0d0615 Author: Bence Simon AuthorDate: Wed Jun 15 15:59:15 2022 +0200 Added Bence Simon to committers list --- src/pages/html/people.hbs | 5 + 1 file changed, 5 insertions(+) diff --git a/src/pages/html/people.hbs b/src/pages/html/people.hbs index ff7156c..62b204a 100644 --- a/src/pages/html/people.hbs +++ b/src/pages/html/people.hbs @@ -329,6 +329,11 @@ title: Apache NiFi Team Martin Zink + +bsimon +Bence Simon + +