==================================================================== CERT-Renater Note d'Information No. 2019/VULN368 _____________________________________________________________________ DATE : 21/11/2019 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Apache NiFi. ===================================================================== https://nifi.apache.org/security.html#CVE-2019-10083 https://nifi.apache.org/security.html#CVE-2019-12421 https://nifi.apache.org/security.html#CVE-2019-10080 _____________________________________________________________________ [CVEID]:CVE-2019-10083 [PRODUCT]:Apache NiFi [VERSION]:Apache NiFi 1.3.0 to 1.9.2 [PROBLEMTYPE]:Information Disclosure [REFERENCES]:https://nifi.apache.org/security.html#CVE-2019-10083 [DESCRIPTION]:As reported by Mark Payne, when updating a Process Group via the API in NiFi versions 1.3.0 to 1.9.2, the response to the request includes all of its contents (at the top most level, not recursively). The response included details about processors and controller services which the user may not have had read access to. _____________________________________________________________________ [CVEID]:CVE-2019-12421 [PRODUCT]:Apache NiFi [VERSION]:Apache NiFi 1.0.0 to 1.10.0 [PROBLEMTYPE]:Authentication [REFERENCES]:https://nifi.apache.org/security.html#CVE-2019-12421 [DESCRIPTION]:As reported by Abdu Sahin, when using an authentication mechanism other than PKI, when the user clicks Log Out in NiFi versions 1.0.0 to 1.9.2, NiFi invalidates the authentication token on the client side but not on the server side. This permits the user's client-side token to be used for up to 12 hours after logging out to make API requests to NiFi. _____________________________________________________________________ [CVEID]:CVE-2019-10080 [PRODUCT]:Apache NiFi [VERSION]:Apache NiFi 1.3.0 to 1.9.2 [PROBLEMTYPE]:Information Disclosure [REFERENCES]:https://nifi.apache.org/security.html#CVE-2019-10080 [DESCRIPTION]:As reported by RunningSnail, the XMLFileLookupService in NiFi versions 1.3.0 to 1.9.2 allowed trusted users to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE) and reveal information such as the versions of Java, Jersey, and Apache that the NiFI instance uses. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================