[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] [ANNOUNCE] CVE fixes in Apache NiFi 1.5.0
From: Andy LoPresto <alopresto () apache ! org>
Date: 2018-01-23 19:39:32
Message-ID: 5E61C789-3F39-47CC-9E4C-A28978BDD3F4 () apache ! org
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
The Apache NiFi PMC would like to announce the following CVE discoveries =
and resolutions in Apache NiFi 1.5.0, released January 12, 2018. NiFi is =
an easy to use, powerful, and reliable system to process and distribute =
data. It supports powerful and scalable directed graphs of data routing, =
transformation, and system mediation logic. For more information, see =
https://nifi.apache.org/security.html =
<https://nifi.apache.org/security.html>.
CVE-2017-12632 <https://nifi.apache.org/security.html#CVE-2017-12632>: =
Apache NiFi host header poisoning issue
Severity: Medium
Versions Affected:
Apache NiFi 0.1.0 - 1.4.0
Description: A malicious host header in an incoming HTTP request could =
cause NiFi to load resources from an external server.
Mitigation: The fix to sanitize host headers and compare to a controlled =
whitelist was applied on the Apache NiFi 1.5.0 release. Users running a =
prior 1.x release should upgrade to the appropriate release.
Credit: This issue was discovered by Mike Cole.
Released: January 12, 2018
CVE-2017-15697 <https://nifi.apache.org/security.html#CVE-2017-15697>: =
Apache NiFi XSS issue in context path handling
Severity: Medium
Versions Affected:
Apache NiFi 1.0.0 - 1.4.0
Description: A malicious X-ProxyContextPath or X-Forwarded-Context =
header containing external resources or embedded code could cause remote =
code execution.
Mitigation: The fix to properly handle these headers was applied on the =
Apache NiFi 1.5.0 release. Users running a prior 1.x release should =
upgrade to the appropriate release.
Credit: This issue was discovered by Andy LoPresto.
Released: January 12, 2018
Andy LoPresto
alopresto@apache.org
alopresto.apache@gmail.com
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69
[Attachment #5 (unknown)]
<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body \
style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" \
class="">The Apache NiFi PMC would like to announce the following CVE discoveries and \
resolutions in Apache NiFi 1.5.0, released January 12, 2018. NiFi is an easy to use, powerful, \
and reliable system to process and distribute data. It supports powerful and scalable directed \
graphs of data routing, transformation, and system mediation logic. For more information, \
see <a href="https://nifi.apache.org/security.html" \
class="">https://nifi.apache.org/security.html</a>. <div class=""><br class=""></div><div \
class=""><div class="row" style="box-sizing: border-box; margin: 0px auto; padding: 0px; \
max-width: 62.5rem; width: 1000px; color: rgb(34, 34, 34); font-family: 'Helvetica Neue', \
Helvetica, Roboto, Arial, sans-serif; font-size: 16px; font-variant-ligatures: normal; orphans: \
2; widows: 2;"><div class="columns large-12" style="box-sizing: border-box; margin: 0px; \
padding: 0px 0.9375rem; width: 1000px; float: left; position: relative;"><p style="box-sizing: \
border-box; margin: 0px 0px 1.25rem; padding: 0px; font-family: inherit; font-size: 1rem; \
line-height: 1.6; text-rendering: optimizelegibility;" class=""><a id="CVE-2017-12632" \
href="https://nifi.apache.org/security.html#CVE-2017-12632" style="box-sizing: border-box; \
color: rgb(57, 104, 119); line-height: inherit; text-decoration: none; -webkit-font-smoothing: \
antialiased; text-shadow: rgba(0, 0, 0, 0.004) 1px 1px 1px;" class=""><strong \
style="box-sizing: border-box; line-height: inherit;" class="">CVE-2017-12632</strong></a>: \
Apache NiFi host header poisoning issue</p><p style="box-sizing: border-box; margin: 0px 0px \
1.25rem; padding: 0px; font-family: inherit; font-size: 1rem; line-height: 1.6; text-rendering: \
optimizelegibility;" class="">Severity: <strong style="box-sizing: border-box; \
line-height: inherit;" class="">Medium</strong></p><p style="box-sizing: border-box; margin: \
0px 0px 1.25rem; padding: 0px; font-family: inherit; font-size: 1rem; line-height: 1.6; \
text-rendering: optimizelegibility;" class="">Versions Affected:</p><ul style="box-sizing: \
border-box; margin: 0px 0px 1.25rem 2rem; padding: 0px; font-family: inherit; font-size: 1rem; \
line-height: 1.6; list-style-position: outside;" class=""><li style="box-sizing: border-box; \
margin: 0px; padding: 0px;" class="">Apache NiFi 0.1.0 - 1.4.0</li></ul><div style="box-sizing: \
border-box; margin: 0px 0px 1.25rem; padding: 0px; font-family: inherit; font-size: 1rem; \
line-height: 1.6; text-rendering: optimizelegibility;" class=""><br \
class="webkit-block-placeholder"></div><p style="box-sizing: border-box; margin: 0px 0px \
1.25rem; padding: 0px; font-family: inherit; font-size: 1rem; line-height: 1.6; text-rendering: \
optimizelegibility;" class="">Description: A malicious host header in an incoming HTTP request \
could cause NiFi to load resources from an external server.</p><p style="box-sizing: \
border-box; margin: 0px 0px 1.25rem; padding: 0px; font-family: inherit; font-size: 1rem; \
line-height: 1.6; text-rendering: optimizelegibility;" class="">Mitigation: The fix to sanitize \
host headers and compare to a controlled whitelist was applied on the Apache NiFi 1.5.0 \
release. Users running a prior 1.x release should upgrade to the appropriate release.</p><p \
style="box-sizing: border-box; margin: 0px 0px 1.25rem; padding: 0px; font-family: inherit; \
font-size: 1rem; line-height: 1.6; text-rendering: optimizelegibility;" class="">Credit: This \
issue was discovered by Mike Cole.</p><p style="box-sizing: border-box; margin: 0px 0px \
1.25rem; padding: 0px; font-family: inherit; font-size: 1rem; line-height: 1.6; text-rendering: \
optimizelegibility;" class="">Released: January 12, 2018</p></div></div><div class="row" \
style="box-sizing: border-box; margin: 0px auto; padding: 0px; max-width: 62.5rem; width: \
1000px; color: rgb(34, 34, 34); font-family: 'Helvetica Neue', Helvetica, Roboto, Arial, \
sans-serif; font-size: 16px; font-variant-ligatures: normal; orphans: 2; widows: 2;"><div \
class="columns large-12" style="box-sizing: border-box; margin: 0px; padding: 0px 0.9375rem; \
width: 1000px; float: left; position: relative;"><p style="box-sizing: border-box; margin: 0px \
0px 1.25rem; padding: 0px; font-family: inherit; font-size: 1rem; line-height: 1.6; \
text-rendering: optimizelegibility;" class=""><a id="CVE-2017-15697" \
href="https://nifi.apache.org/security.html#CVE-2017-15697" style="box-sizing: border-box; \
color: rgb(57, 104, 119); line-height: inherit; text-decoration: none; -webkit-font-smoothing: \
antialiased; text-shadow: rgba(0, 0, 0, 0.004) 1px 1px 1px;" class=""><strong \
style="box-sizing: border-box; line-height: inherit;" class="">CVE-2017-15697</strong></a>: \
Apache NiFi XSS issue in context path handling</p><p style="box-sizing: border-box; margin: 0px \
0px 1.25rem; padding: 0px; font-family: inherit; font-size: 1rem; line-height: 1.6; \
text-rendering: optimizelegibility;" class="">Severity: <strong style="box-sizing: \
border-box; line-height: inherit;" class="">Medium</strong></p><p style="box-sizing: \
border-box; margin: 0px 0px 1.25rem; padding: 0px; font-family: inherit; font-size: 1rem; \
line-height: 1.6; text-rendering: optimizelegibility;" class="">Versions Affected:</p><ul \
style="box-sizing: border-box; margin: 0px 0px 1.25rem 2rem; padding: 0px; font-family: \
inherit; font-size: 1rem; line-height: 1.6; list-style-position: outside;" class=""><li \
style="box-sizing: border-box; margin: 0px; padding: 0px;" class="">Apache NiFi 1.0.0 - \
1.4.0</li></ul><div style="box-sizing: border-box; margin: 0px 0px 1.25rem; padding: 0px; \
font-family: inherit; font-size: 1rem; line-height: 1.6; text-rendering: optimizelegibility;" \
class=""><br class="webkit-block-placeholder"></div><p style="box-sizing: border-box; margin: \
0px 0px 1.25rem; padding: 0px; font-family: inherit; font-size: 1rem; line-height: 1.6; \
text-rendering: optimizelegibility;" class="">Description: A malicious <code \
style="box-sizing: border-box; background-color: rgb(248, 248, 248); border: 0px solid rgb(223, \
223, 223); color: rgb(51, 51, 51); font-family: Consolas, 'Liberation Mono', Courier, \
monospace; padding: 0.125rem 0.3125rem 0.0625rem;" \
class="">X-ProxyContextPath</code> or <code style="box-sizing: border-box; \
background-color: rgb(248, 248, 248); border: 0px solid rgb(223, 223, 223); color: rgb(51, 51, \
51); font-family: Consolas, 'Liberation Mono', Courier, monospace; padding: 0.125rem 0.3125rem \
0.0625rem;" class="">X-Forwarded-Context</code> header containing external resources or \
embedded code could cause remote code execution.</p><p style="box-sizing: border-box; margin: \
0px 0px 1.25rem; padding: 0px; font-family: inherit; font-size: 1rem; line-height: 1.6; \
text-rendering: optimizelegibility;" class="">Mitigation: The fix to properly handle these \
headers was applied on the Apache NiFi 1.5.0 release. Users running a prior 1.x release should \
upgrade to the appropriate release.</p><p style="box-sizing: border-box; margin: 0px 0px \
1.25rem; padding: 0px; font-family: inherit; font-size: 1rem; line-height: 1.6; text-rendering: \
optimizelegibility;" class="">Credit: This issue was discovered by Andy LoPresto.</p><p \
style="box-sizing: border-box; margin: 0px 0px 1.25rem; padding: 0px; font-family: inherit; \
font-size: 1rem; line-height: 1.6; text-rendering: optimizelegibility;" class="">Released: \
January 12, 2018</p></div></div></div><div class=""><br class=""></div><div class=""><br \
class=""></div><div class=""><br class=""><div class=""> <div style="letter-spacing: normal; \
orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; \
widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; \
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div \
style="letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; \
text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; \
-webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; \
-webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0);" \
class="">Andy LoPresto</div><div style="color: rgb(0, 0, 0);" class=""><a \
href="mailto:alopresto@apache.org" class="">alopresto@apache.org</a></div><div class=""><i \
class=""><font color="#c0c0c0" class=""><a href="mailto:alopresto.apache@gmail.com" \
class="">alopresto.apache@gmail.com</a></font></i></div><div style="color: rgb(0, 0, 0);" \
class="">PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D \
EF69</div></div></div> </div>
<br class=""></div></body></html>
["signature.asc" (signature.asc)]
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iQIcBAEBCgAGBQJaZ492AAoJEDxu9lsvfe9pANsP/0giQfgzE6o62VtEsGIsEj1s
orkd/cIwik0q8S5FSURqC/R8bCpBVXrsBRba03Bv3q/eoWYAee1yTOj9+cOyhcAe
naDIOK5lC7Dcak13MX79pAzwMOHYoDiB2dosKPYKMh/6QvTV6NWy9VxixF/eCY9m
NDwhb5zQHh/1NDgNN9Qt/KSvsp1+MqwoYe09x5Z1EFEFPPtIehRQmDfQbmeJIsnz
ZtwNcoX2jTlcwzDhWzLeNCHAunv3qyHvVvFZQhJjcEyjH6+z6P8uNdm2noaGmt4J
hkiPCo+zx5zk+oZpxwo7Z/jq6iAKi0mk8xFpcEY+34RS6blI9qtmhF+JlPpDLlHS
EtVxQGpiOM/AllUtqlm0XRtlrOQPAbgvWHQCNdl4m5aGF5QUh/9sA/SvcJzcq9UH
eul1DoficYbz5EvXtlBgT0pYVLfdYtgQG0CdFXA7N9EawjvB7d+yHTm9kUdDUnsZ
dOMNjX31s86sjNzs+1NFMQDYjagMxEYSqBSHM4NkFKT6+akD6WdLKZ93yv6e8PAV
zwh/hWrCPaFbaVqflM6tDIIRL/0jjKd9HTf/auaeZvenmLGmueig+nltFSs14FTD
YpwVyqPnLoFH4o4oDw78uV7RAto+VO3bBQCEQCuYQpe3v1lfFqOsPVrw5tcc4bIV
N8TSIpPFy5N8TdBrMM8N
=jgEP
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic