My 2 cents is you have options to do what you like with it being an open source product. You could always start running your own NiFi builds and applying patches in your own fork, or if there was a case where NiFi didn't have a fix yet applied to an updated build you could help develop that and get it approved and back into the community.
I have found the easiest thing to do is watch release notes on the downloads page https://nifi.apache.org/download/and try to keep the product up-to-date on my servers. Of course i skip some versions but usually I do a quarterly review and see if there important CVE's or features I want then that's when I decide to run to the next version. I rarely let my versions lag more than a year in worst case scenario. And I try to avoid things that I think will make it harder to apply the patches or case me more time to test before updating a production server. Also in the last updates it's been pretty easy to review and see if there are any migration notes that are also on the page and determine if theres a processor or something I'm using that's not in the new build. As long as it's there generally i've not had any issues with an update and my main attention ends up on any changes in nifi.properties or nifi.bootstrap. Regards, Chris On Thu, Oct 3, 2024 at 3:21 PM Joe Witt <joe.w...@gmail.com> wrote: > As noted, that specific CVE is addressed already on the 1.x line as of > 1.26. There are no plans to backport that to older 1.x lines. > > However, if you're scanning versions there are a number of noted > vulnerabilities of differing levels that impact the 1.x line related to > Spring/Spring Security/Jetty/etc.. components which cannot be addressed on > the 1.x line. They are however all addressed in 2.x > > Thanks > > On Thu, Oct 3, 2024 at 1:05 PM Chirthani, Deepak Reddy < > c-deepakreddy.chirth...@charter.com> wrote: > >> Micheal, >> >> >> >> Upgrading Apache Nifi to 1.26.0 or higher is the only solution or do you >> think we can update the spring framework dependencies? Also which will be >> effective solution? >> >> >> >> Thanks >> >> >> >> *[image: image005]* >> >> *Deepak Reddy* | Data Engineer >> IT Centers of Excellence >> 13736 Riverport Dr., Maryland Heights, MO 63043 >> >> >> >> *From:* Michael Moser <moser...@gmail.com> >> *Sent:* Wednesday, October 2, 2024 12:28 PM >> *To:* users@nifi.apache.org >> *Cc:* Chirthani, Deepak Reddy <c-deepakreddy.chirth...@charter.com> >> *Subject:* [EXTERNAL] Re: cve-2024-22243 >> >> >> >> CAUTION: The e-mail below is from an external source. Please exercise >> caution before opening attachments, clicking links, or following guidance. >> >> >> >> Each Apache NiFi release tends to upgrade several dependencies, so from a >> security standpoint we always recommend using the latest version. >> >> >> >> For that specific CVE, however, you will want to use NiFi version 1.26.0 >> or higher. >> >> >> >> Regards, >> >> -- Mike >> >> >> >> >> >> On Wed, Oct 2, 2024 at 10:19 AM Chirthani, Deepak Reddy < >> c-deepakreddy.chirth...@charter.com> wrote: >> >> Hi, >> >> >> >> Wanted to know to resolve the cve-2024-22243 on Nifi on-prem clusters >> with version 1.21.0. Any inputs/advises are appreciated. >> >> >> >> Thanks >> >> The contents of this e-mail message and any attachments are intended >> solely for the addressee(s) and may contain confidential and/or legally >> privileged information. If you are not the intended recipient of this >> message or if this message has been addressed to you in error, please >> immediately alert the sender by reply e-mail and then delete this message >> and any attachments. If you are not the intended recipient, you are >> notified that any use, dissemination, distribution, copying, or storage of >> this message or any attachment is strictly prohibited. >> >> The contents of this e-mail message and any attachments are intended >> solely for the addressee(s) and may contain confidential and/or legally >> privileged information. If you are not the intended recipient of this >> message or if this message has been addressed to you in error, please >> immediately alert the sender by reply e-mail and then delete this message >> and any attachments. If you are not the intended recipient, you are >> notified that any use, dissemination, distribution, copying, or storage of >> this message or any attachment is strictly prohibited. >> >
