Security Vulnerability Disclosure

Apache NiFi welcomes the responsible reporting of security vulnerabilities. The NiFi team believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will work with you to resolve the issue promptly.

Disclosure Policy

Exclusions

While researching, we'd like to ask you to refrain from:

Reporting Methods

NiFi accepts reports in multiple ways:

Thank you for helping keep Apache NiFi and our users safe!

Fixed in Apache NiFi 1.8.0

Vulnerabilities

CVE-2018-17192: Apache NiFi clickjacking vulnerability

Severity: Low

Versions Affected:

Description: The X-Frame-Options headers were applied inconsistently on some HTTP responses, resulting in duplicate or missing security headers. Some browsers would interpret these results incorrectly, allowing clickjacking attacks.

Mitigation: The fix to consistently apply the security headers was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release.

Credit: This issue was discovered by Suchithra V N.

CVE Link: Mitre Database: CVE-2018-17192

NiFi Jira: NIFI-5258

NiFi PR: PR 2759, PR 2791, PR 2812

Released: October 26, 2018

CVE-2018-17193: Apache NiFi reflected XSS attack in X-ProxyContextPath

Severity: Moderate

Versions Affected:

Description: The message-page.jsp error page used the value of the HTTP request header X-ProxyContextPath without sanitization, resulting in a reflected XSS attack.

Mitigation: The fix to correctly parse and sanitize the request attribute value was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release.

Credit: This issue was discovered by Dan Fike. Additional assistance from Patrick White.

CVE Link: Mitre Database: CVE-2018-17193

NiFi Jira: NIFI-5442

NiFi PR: PR 2908

Released: October 26, 2018

CVE-2018-17194: Apache NiFi Denial of service via DELETE cluster request replication

Severity: Moderate

Versions Affected:

Description: When a client request to a cluster node was replicated to other nodes in the cluster for verification, the Content-Length was forwarded. On a DELETE request, the body was ignored, but if the initial request had a Content-Length value other than 0, the receiving nodes would wait for the body and eventually timeout.

Mitigation: The fix to check DELETE requests and overwrite non-zero Content-Length header values was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release.

Credit: This issue was discovered by Mike Cole and Andy LoPresto.

CVE Link: Mitre Database: CVE-2018-17194

NiFi Jira: NIFI-5628

NiFi PR: PR 3035

Released: October 26, 2018

CVE-2018-17195: Apache NiFi CSRF vulnerability in template upload API

Severity: Severe

Versions Affected:

Description: The template upload API endpoint accepted requests from different domain when sent in conjunction with ARP spoofing + man in the middle (MiTM) attack, resulting in a CSRF attack. The required attack vector is complex, requiring a scenario with client certificate authentication, same subnet access, and injecting malicious code into an unprotected (plaintext HTTP) website which the targeted user later visits, but the possible damage warranted a Severe severity level.

Mitigation: The fix to apply Cross-Origin Resource Sharing (CORS) policy request filtering was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release.

Credit: This issue was discovered by Mike Cole.

CVE Link: Mitre Database: CVE-2018-17195

NiFi Jira: NIFI-5595

NiFi PR: PR 3024

Released: October 26, 2018

Dependency Vulnerabilities

CVE-2014-0193: Apache NiFi Denial of service because of netty vulnerability

Severity: Low

Versions Affected:

Description: A vulnerability in the netty library could cause denial of service. See NIST NVD CVE-2014-0193 or netty release announcement for more information.

Mitigation: The fix to upgrade the netty library to 3.7.1.Final was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release.

Credit: This issue was discovered by Nathan Gough.

CVE Link: Mitre Database: CVE-2014-0193

NiFi Jira: NIFI-5665

NiFi PR: PR 3067

Released: October 26, 2018

Informational

NIFI-2018-006: Apache NiFi Suppression of stack trace when malicious XSS query is submitted

Severity: Informational

Versions Affected:

Description: A reporter submitted a (false positive) claim of a reflected XSS attack. See the CVE-2016-8748 announcement for more information. While the XSS attack was not valid, the resulting stack trace contained unnecessary information.

Mitigation: The fix to suppress the stacktrace was applied on the Apache NiFi 1.7.1 and 1.8.0 releases. Users running a prior 1.x release should upgrade to the appropriate release.

Credit: This issue was discovered by Prashanth V.

CVE Link: N/A

NiFi Jira: NIFI-5374

NiFi PR: PR 2840

Released: October 26, 2018

NIFI-2018-014: Apache NiFi addition of Content Security Policy (CSP) frame-ancestor HTTP response header

Severity: Informational

Versions Affected:

Description: Following best practice recommendations, the frame-ancestors CSP response header is provided as well as X-Frame-Options for increased compatibility across browsers.

Mitigation: The addition of these headers was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release.

Credit: This issue was discovered by Nathan Gough and Andy LoPresto.

CVE Link: N/A

NiFi Jira: NIFI-5366

NiFi PR: PR 2989

Released: October 26, 2018

Fixed in Apache NiFi 1.7.0

CVE-2018-1324: Apache NiFi Denial of service issue because of commons-compress vulnerability

Severity: Low

Versions Affected:

Description: A vulnerability in the commons-compress library could cause denial of service. See commons-compress CVE-2018-1324 announcement for more information.

Mitigation: The fix to upgrade the commons-compress library to 1.16.1 was applied on the Apache NiFi 1.7.0 release. Users running a prior 1.x release should upgrade to the appropriate release. This was previously incorrectly reported as being fixed in Apache NiFi 1.6.0

Credit: This issue was discovered by Joe Witt.

CVE Link: Mitre Database: CVE-2018-1324

NiFi Jira: NIFI-5108

NiFi PR: PR 2651

Released: June 25, 2018

CVE-2016-1000031: Apache NiFi dependency vulnerability in commons-fileupload

Severity: Moderate

Versions Affected:

Description: A vulnerability in the commons-fileupload library could cause remote code execution (RCE). See Tenable Research Advisory TRA-2016-30 for more information.

Mitigation: The fix to upgrade the commons-fileupload library to 1.3.3 was applied on the Apache NiFi 1.7.0 release. Users running a prior 1.x release should upgrade to the appropriate release. Apache Commons project contests validity of this vulnerability and proposes this is the responsibility of the consuming application.

Credit: This issue was discovered by Matt Gilman.

CVE Link: Mitre Database: CVE-2016-1000031

NiFi Jira: NIFI-5124

NiFi PR: PR 2662

Released: June 25, 2018

CVE-2018-7489, CVE-2017-7525, and CVE-2017-15095: Apache NiFi dependency vulnerability in FasterXML Jackson

Severity: Severe

Versions Affected:

Description: A vulnerability in the FasterXML Jackson XML parsing library could allow unauthenticated remote code execution (RCE). See NVD CVE-2018-7489 for more information.

Mitigation: The fix to upgrade the jackson-databind library to 2.9.5 was applied on the Apache NiFi 1.7.0 release. Users running a prior 1.x release should upgrade to the appropriate release.

Credit: This issue was discovered by Sivaprasanna Sethuraman.

CVE Link: Mitre Database: CVE-2018-7489, Mitre Database: CVE-2017-7525, Mitre Database: CVE-2017-15095

NiFi Jira: NIFI-5286

NiFi PR: PR 2775

Released: June 25, 2018

angular:20171018 and angular:20180202: Apache NiFi dependency XSS vulnerability in AngularJS

Severity: Moderate

Versions Affected:

Description: A vulnerability in the AngularJS library could allow XSS. See Snyk npm:angular:20171018 and Snyk npm:angular:20180202 for more information.

Mitigation: The fix to upgrade the commons-compress library to 1.7.0 was applied on the Apache NiFi 1.7.0 release. Users running a prior 1.x release should upgrade to the appropriate release.

Credit: This issue was discovered by Prashanth V.

CVE Link: N/A

NiFi Jira: NIFI-5215

NiFi PR: PR 2721

Released: June 25, 2018

NIFI-2018-009: Apache NiFi proactive escaping of batch ingest JSON to Elasticsearch to prevent injection attack

Severity: Low

Versions Affected:

Description: While no published attack exists, NiFi strengthened the security around the batch processing Elasticsearch ingest feature to prevent injection attacks.

Mitigation: The improved content escaping was applied on the Apache NiFi 1.7.0 release. Users running a prior 1.x release should upgrade to the appropriate release.

Credit: This issue was discovered by Jonathan Logan.

CVE Link: N/A

NiFi Jira: NIFI-5266

NiFi PR: PR 2760

Released: June 25, 2018

Fixed in Apache NiFi 1.6.0

CVE-2018-1309: Apache NiFi XML External Entity issue in SplitXML processor

Severity: Moderate

Versions Affected:

Description: Malicious XML content could cause information disclosure or remote code execution.

Mitigation: The fix to disable external general entity parsing and disallow doctype declarations was applied on the Apache NiFi 1.6.0 release. Users running a prior 1.x release should upgrade to the appropriate release.

Credit: This issue was discovered by 圆珠笔.

CVE Link: Mitre Database: CVE-2018-1309

Released: April 8, 2018

CVE-2018-1310: Apache NiFi JMS Deserialization issue because of ActiveMQ client vulnerability

Severity: Moderate

Versions Affected:

Description: Malicious JMS content could cause denial of service. See ActiveMQ CVE-2015-5254 announcement for more information.

Mitigation: The fix to upgrade the activemq-client library to 5.15.3 was applied on the Apache NiFi 1.6.0 release. Users running a prior 1.x release should upgrade to the appropriate release.

Credit: This issue was discovered by 圆珠笔.

CVE Link: Mitre Database: CVE-2018-1310

Released: April 8, 2018

CVE-2017-8028: Apache NiFi LDAP TLS issue because of Spring Security LDAP vulnerability

Severity: Severe

Versions Affected:

Description: Spring Security LDAP library was not enforcing credential authentication after TLS handshake negotiation. See NVD CVE-2017-8028 disclosure for more information.

Mitigation: The fix to upgrade the spring-ldap library to 2.3.2.RELEASE+ was applied on the Apache NiFi 1.6.0 release. Users running a prior 1.x release should upgrade to the appropriate release.

Credit: This issue was discovered by Matthew Elder.

CVE Link: Mitre Database: CVE-2017-8028

Released: April 8, 2018

CVE-2018-1324: Apache NiFi Denial of service issue because of commons-compress vulnerability -- This issue was resolved in Apache NiFi 1.7.0

Severity: Low

Versions Affected:

Description: A vulnerability in the commons-compress library could cause denial of service. See commons-compress CVE-2018-1324 announcement for more information.

Mitigation: The fix to upgrade the commons-compress library to 1.16.1 was applied on the Apache NiFi 1.6.0 release. Users running a prior 1.x release should upgrade to the appropriate release.

Credit: This issue was discovered by Joe Witt.

CVE Link: Mitre Database: CVE-2018-1324

Released: April 8, 2018

Fixed in Apache NiFi 1.5.0

CVE-2017-12632: Apache NiFi host header poisoning issue

Severity: Moderate

Versions Affected:

Description: A malicious host header in an incoming HTTP request could cause NiFi to load resources from an external server.

Mitigation: The fix to sanitize host headers and compare to a controlled whitelist was applied on the Apache NiFi 1.5.0 release. Users running a prior 1.x release should upgrade to the appropriate release.

Credit: This issue was discovered by Mike Cole.

CVE Link: Mitre Database: CVE-2017-12632

Released: January 12, 2018

CVE-2017-15697: Apache NiFi XSS issue in context path handling

Severity: Moderate

Versions Affected:

Description: A malicious X-ProxyContextPath or X-Forwarded-Context header containing external resources or embedded code could cause remote code execution.

Mitigation: The fix to properly handle these headers was applied on the Apache NiFi 1.5.0 release. Users running a prior 1.x release should upgrade to the appropriate release.

Credit: This issue was discovered by Andy LoPresto.

CVE Link: Mitre Database: CVE-2017-15697

Released: January 12, 2018

Fixed in Apache NiFi 1.4.0

CVE-2017-12623: Apache NiFi XXE issue in template XML upload

Severity: Moderate Important

Versions Affected:

Description: An authorized user Any authenticated user (valid client certificate but without ACL permissions) could upload a template which contained malicious code and accessed sensitive files via an XML External Entity (XXE) attack.

Mitigation: The fix to properly handle XML External Entities was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should upgrade to the appropriate release.

Credit: This issue was discovered by Paweł Gocyla and further information was provided by Mike Cole.

CVE Link: Mitre Database: CVE-2017-12623

Released: October 2, 2017 (Updated January 23, 2018)

CVE-2017-15703: Apache NiFi Java deserialization issue in template XML upload

Severity: Moderate

Versions Affected:

Description: Any authenticated user (valid client certificate but without ACL permissions) could upload a template which contained malicious code and caused a denial of service via Java deserialization attack.

Mitigation: The fix to properly handle Java deserialization was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should upgrade to the appropriate release.

Credit: This issue was discovered by Mike Cole.

CVE Link: Mitre Database: CVE-2017-15703

Released: October 2, 2017 (Updated January 25, 2018)

Fixed in Apache NiFi 0.7.4 and 1.3.0

CVE-2017-7665: Apache NiFi XSS issue on certain user input components

Severity: Important

Versions Affected:

Description: There are certain user input components in the Apache NiFi UI which had been guarding for some forms of XSS issues but were insufficient.

Mitigation: The fix for more complete user input sanitization will be applied on Apache NiFi 0.7.4 and Apache NiFi 1.3.0 releases. Users running a prior 0.x or 1.x release should upgrade to the appropriate release.

Credit: This issue was discovered by Matt Gilman.

Released: May 8, 2017 (1.2.0); May 17, 2017 (0.7.3)

CVE-2017-7667: Apache NiFi XFS issue due to insufficient response headers

Severity: Important

Versions Affected:

Description: Apache NiFi needs to establish the response header telling browsers to only allow framing with the same origin.

Mitigation: The fix to set this response header will be applied on Apache NiFi 0.7.4 and Apache NiFi 1.3.0 releases. Users running a prior 0.x or 1.x release should upgrade to the appropriate release.

Credit: This issue was discovered by Matt Gilman.

Released: May 8, 2017 (1.2.0); May 17, 2017 (0.7.3)

Fixed in Apache NiFi 0.7.2 and 1.1.2

CVE-2017-5635: Apache NiFi Unauthorized Data Access In Cluster Environment

Severity: Important

Versions Affected:

Description: In a cluster environment, if an anonymous user request is replicated to another node, the originating node identity is used rather than the “anonymous” user.

Mitigation: A fix has been provided (removing the negative check for anonymous user before building the proxy chain and throwing an exception, and evaluating each user in the proxy chain iteration and comparing against a static constant anonymous user). This fix was applied in NIFI-3487 and released in Apache NiFi 0.7.2 and 1.1.2. 1.x users running a clustered environment should upgrade to 1.1.2. 0.x users running a clustered environment should upgrade to 0.7.2. Additional migration guidance can be found here.

Credit: This issue was discovered by Leonardo Dias in conjunction with Matt Gilman.

Released: February 20, 2017

CVE-2017-5636: Apache NiFi User Impersonation In Cluster Environment

Severity: Moderate

Versions Affected:

Description: In a cluster environment, the proxy chain serialization/deserialization is vulnerable to an injection attack where a carefully crafted username could impersonate another user and gain their permissions on a replicated request to another node.

Mitigation: A fix has been provided (modification of the tokenization code and sanitization of user-provided input). This fix was applied in NIFI-3487 and released in Apache NiFi 0.7.2 and 1.1.2. 1.x users running a clustered environment should upgrade to 1.1.2. 0.x users running a clustered environment should upgrade to 0.7.2. Additional migration guidance can be found here.

Credit: This issue was discovered by Andy LoPresto.

Released: February 20, 2017

Fixed in Apache NiFi 1.0.1 and 1.1.1

CVE-2016-8748: Apache NiFi XSS vulnerability in connection details dialogue

Severity: Moderate

Versions Affected:

Description: There is a cross-site scripting vulnerability in connection details dialog when accessed by an authorized user. The user supplied text was not being properly handled when added to the DOM.

Mitigation: 1.0.0 users should upgrade to 1.0.1 or 1.1.1. 1.1.0 users should upgrade to 1.1.1. Additional migration guidance can be found here.

Credit: This issue was discovered by Matt Gilman of the Apache NiFi PMC during a code review.

Released: December 19, 2016 (1.0.1); December 22, 2016 (1.1.1)

Severity Levels

The following lists the severity levels and criteria followed. It closely aligns to and borrows from Apache HTTP Server Project guidance.

Critical A vulnerability rated with a critical impact is one which could be potentially exploited by a remote attacker to get NiFi to execute arbitrary code either as the user the server is running as or root. These are the sorts of vulnerabilities that could be exploited automatically by worms.
Important A vulnerability rated as Important impact is one which could result in the compromise of data or availability of the server. For Apache NiFi this includes issues that allow an easy remote denial of service or access to files that should be otherwise prevented by limits or authentication.
Moderate A vulnerability is likely to be rated as Moderate if there is significant mitigation to make the issue less of an impact. This might be done because the flaw does not affect likely configurations, or it is a configuration that isn't widely used, or where a remote user must be authenticated in order to exploit the issue.
Low All other security flaws are classed as a Low impact. This rating is used for issues that are believed to be extremely hard to exploit, or where an exploit gives minimal consequences.