Please stop replying to this thread. You can follow up on the private thread between you and the Apache NiFi security team for more information.
Andy LoPresto [email protected] [email protected] PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > On Oct 15, 2018, at 14:49, Dnyaneshwar Pawar > <[email protected]> wrote: > > Thank You for your reply. Is there any official documentation or link where > we can point and assure our user about this? > Basically there scan is reporting CVE-2018-1000613, CVE-2018-1000180, > 2009-0001 issues. > > > Regards, > Dnyaneshwar Pawar > > From: Andy LoPresto <[email protected]> > Sent: Wednesday, October 10, 2018 6:37 PM > To: [email protected] > Subject: Re: Security issues for NiFi's supporting libs. > > The Apache NiFi security team has responded to these messages via private > email. For all interested parties, please know that NiFi is not vulnerable to > CVE-2018-1000613 and further discussion is needed for the second CVE listed > as this issued number does not match the description provided. > > All users should refer to the Apache NiFi Security Reporting Guidelines for > coordinated disclosure process [1]. > > [1] https://nifi.apache.org/security.html > > > Andy LoPresto > [email protected] > [email protected] > PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > > On Oct 10, 2018, at 4:50 PM, Dnyaneshwar Pawar > <[email protected]> wrote: > > More organized information. > > Vulnarability > Severity > Package/jar > Description > CVE-2018-1000613 > High > bcprov-jdk15on-1.59.jar > Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptography > APIs version prior to version 1.60 contains a CWE-470: Use of > Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') > vulnerability in XMSS/XMSS^MT private key deserialization that can result in > Deserializing an XMSS/XMSS^MT private key can result in the execution of > unexpected code.. This attack appear to be exploitable via A handcrafted > private key can include references to unexpected classes which will be picked > up from the class path for the executing application.. This vulnerability > appears to have been fixed in 1.60 and later. > > CVE 2009-0001 > Medium > commons-codec-1.11.jar > > Not all "business" method implementations of public API in Apache Commons > Codec 1.x are thread safe, which might disclose the wrong data or allow an > attacker to change non-private fields. > > > From: Dnyaneshwar Pawar <[email protected]> > Sent: Wednesday, October 10, 2018 12:35 PM > To: [email protected] > Subject: Security issues for NiFi's supporting libs. > > Hi, > > We are using Apache NiFi 1.7.0 and the security scan has high severity > issues for Bouncy castle bcprov-jdk15on-1.59 and Apache’s commons-codec lib. > How should we address them? The Bouncy Castle upgraded them to fix the > issues. What about commons codec and are they available in 1.7.1? > > Thanks in advance. > > Regards, > Dnyaneshwar Pawar > > DISCLAIMER > ========== > This e-mail may contain privileged and confidential information which is the > property of Persistent Systems Ltd. It is intended only for the use of the > individual or entity to which it is addressed. If you are not the intended > recipient, you are not authorized to read, retain, copy, print, distribute or > use this message. If you have received this communication in error, please > notify the sender and delete all copies of this message. Persistent Systems > Ltd. does not accept any liability for virus infected mails. >
