NiFi Registry Security Vulnerability Disclosure

Apache NiFi Registry welcomes the responsible reporting of security vulnerabilities. The NiFi Registry team believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will work with you to resolve the issue promptly.

Disclosure Policy

Exclusions

While researching, we'd like to ask you to refrain from:

Reporting Methods

NiFi Registry receives vulnerability reports through the Apache NiFi team via the following means:

Thank you for helping keep Apache NiFi Registry and our users safe!

Fixed in Apache NiFi Registry 0.6.0

Vulnerabilities

CVE-2020-9482: Apache NiFi Registry user log out issue

Severity: Moderate

Versions Affected:

Description: If NiFi Registry uses an authentication mechanism other than PKI, when the user clicks Log Out, NiFi Registry invalidates the authentication token on the client side but not on the server side. This permits the user's client-side token to be used for up to 12 hours after logging out to make API requests to NiFi Registry.

Mitigation: The fix to invalidate the server-side authentication token immediately after the user clicks 'Log Out' was applied in the Apache NiFi Registry 0.6.0 release.

CVE Link: Mitre Database: CVE-2020-9482

NiFi Registry Jira: NIFIREG-387

NiFi Registry PR: PR 277

Released: April 7, 2020

Dependency Vulnerabilities

CVE-2019-14540: Apache NiFi Registry's jackson-databind usage

Severity: Critical

Versions Affected:

Description: The com.fasterxml.jackson.core:jackson-databind dependency in the nifi-registry-framework was vulnerable. See NIST NVD CVE-2019-14540 for more information.

Mitigation: jackson-databind was upgraded from 2.9.9.1 to 2.10.3 for the Apache NiFi Registry 0.6.0 release. It is unlikely that NiFi Registry's usage of this dependency could be exploited as described by the CVE, however we consider it prudent for users running a prior 0.x release to upgrade to the 0.6.0 release.

CVE Link: Mitre Database: CVE-2019-14540

NiFi Registry Jira: NIFIREG-376

NiFi Registry PR: PR 271

Released: April 7, 2020

CVE-2019-10782: Apache NiFi's Registry's checkstyle usage

Severity: Moderate

Versions Affected:

Description: The com.puppycrawl.tools:checkstyle dependency was vulnerable. See NIST NVD CVE-2019-10782 for more information.

Mitigation: The checkstyle dependency was upgraded from 8.21 to 8.31 for the Apache NiFi Registry 0.6.0 release. It is unlikely that NiFi Registry's usage of this dependency could be exploited as described by the CVE, however we consider it prudent for users running a prior 0.x release to upgrade to the 0.6.0 release.

CVE Link: Mitre Database: CVE-2019-10782

NiFi Registry Jira: NIFIREG-364

NiFi Registry PR: PR 270

Released: April 7, 2020

CVE-2018-10054: Apache NiFi's Registry h2 database usage

Severity: Important

Versions Affected:

Description: The com.h2database:h2 dependency in the nifi-registry-framework module was vulnerable. See NIST NVD CVE-2018-10054 for more information.

Mitigation: The h2 database dependency was upgraded from 1.4.197 to 1.4.199 for the Apache NiFi Registry 0.6.0 release. It is unlikely that NiFi Registry's usage of this dependency could be exploited as described by the CVE, however we consider it prudent for users running a prior 0.x release to upgrade to the 0.6.0 release.

CVE Link: Mitre Database: CVE-2018-10054

NiFi Registry Jira: NIFIREG-372

NiFi Registry PR: PR 267

Released: April 7, 2020

Severity Levels

The following lists the severity levels and criteria followed. It closely aligns to and borrows from Apache HTTP Server Project guidance.

Critical A vulnerability rated with a critical impact is one which could be potentially exploited by a remote attacker to get NiFi Registry to execute arbitrary code either as the user the server is running as or root. These are the sorts of vulnerabilities that could be exploited automatically by worms.
Important A vulnerability rated as Important impact is one which could result in the compromise of data or availability of the server. For Apache NiFi Registry this includes issues that allow an easy remote denial of service or access to files that should be otherwise prevented by limits or authentication.
Moderate A vulnerability is likely to be rated as Moderate if there is significant mitigation to make the issue less of an impact. This might be done because the flaw does not affect likely configurations, or it is a configuration that isn't widely used, or where a remote user must be authenticated in order to exploit the issue.
Low All other security flaws are classed as a Low impact. This rating is used for issues that are believed to be extremely hard to exploit, or where an exploit gives minimal consequences.