[ https://issues.apache.org/jira/browse/NIFI-9675?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Matt Burgess resolved NIFI-9675. -------------------------------- Fix Version/s: 1.16.0 Resolution: Duplicate Resolved as duplicate of NIFI-9585 > Upgrade H2 to 2.1.210 to mitigate Critical CVEs > ----------------------------------------------- > > Key: NIFI-9675 > URL: https://issues.apache.org/jira/browse/NIFI-9675 > Project: Apache NiFi > Issue Type: Improvement > Reporter: Raman N > Priority: Major > Fix For: 1.16.0 > > > In H2 versions used in Apache NiFi; following vulnerabilities are detected by > Trivy: > [https://nvd.nist.gov/vuln/detail/CVE-2021-42392] > [https://nvd.nist.gov/vuln/detail/CVE-2022-23221] > These CVEs can be fixed by upgrading *h2* version to 2.1.210 > *CVE-2021-42392:* > {code:java} > { > "VulnerabilityID": "CVE-2021-42392", > "PkgName": "com.h2database:h2", > "PkgPath": "opt/nifi/nifi-toolkit-current/lib/h2-1.4.199.jar", > "InstalledVersion": "1.4.199", > "FixedVersion": "2.0.206", > "Layer": { > "Digest": > "sha256:4e4453b0591c2445b47576e4a8721ccc1bb1e7312c9f78c6c0f7fdbddad2a0f3", > "DiffID": > "sha256:5e21f394214906c7864139895d26d2dae021b68493693c633f5f9b0a690ae2b2" > }, > "SeveritySource": "ghsa-maven", > "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-42392", > "Title": "h2: Remote Code Execution in Console", > "Description": "The org.h2.util.JdbcUtils.getConnection method of > the H2 database takes as parameters the class name of the driver and URL of > the database. An attacker may pass a JNDI driver name and a URL leading to a > LDAP or RMI servers, causing remote code execution. This can be exploited > through various attack vectors, most notably through the H2 Console which > leads to unauthenticated remote code execution.", > "Severity": "CRITICAL", > "CweIDs": [ > "CWE-502" > ], > "CVSS": { > "nvd": { > "V2Vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C", > "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", > "V2Score": 10, > "V3Score": 9.8 > }, > "redhat": { > "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", > "V3Score": 7.1 > } > } ... > {code} > *CVE-2022-23221:* > {code:java} > { > "VulnerabilityID": "CVE-2022-23221", > "PkgName": "com.h2database:h2", > "PkgPath": "opt/nifi/nifi-toolkit-current/lib/h2-1.4.199.jar", > "InstalledVersion": "1.4.199", > "FixedVersion": "2.1.210", > "Layer": { > "Digest": > "sha256:4e4453b0591c2445b47576e4a8721ccc1bb1e7312c9f78c6c0f7fdbddad2a0f3", > "DiffID": > "sha256:5e21f394214906c7864139895d26d2dae021b68493693c633f5f9b0a690ae2b2" > }, > "SeveritySource": "ghsa-maven", > "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-23221", > "Title": "h2: Loading of custom classes from remote servers through > JNDI", > "Description": "H2 Console before 2.1.210 allows remote attackers > to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the > IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, > a different vulnerability than CVE-2021-42392.", > "Severity": "CRITICAL", > "CweIDs": [ > "CWE-94" > ], > "CVSS": { > "nvd": { > "V2Vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C", > "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", > "V2Score": 10, > "V3Score": 9.8 > }, > "redhat": { > "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", > "V3Score": 8.1 > } > },.. > {code} -- This message was sent by Atlassian Jira (v8.20.1#820001)