'[oss-security] CVE-2020-1942: Apache NiFi 0.0.1 to 1.11.0 information disclosure in logs'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2020-1942: Apache NiFi 0.0.1 to 1.11.0 information disclosure in logs
From:       Andy LoPresto <alopresto () apache ! org>
Date:       2020-02-10 21:49:30
Message-ID: CE6967F1-2CD4-4A6E-89CF-75B2FE817EAE () apache ! org
[Download RAW message or body]


The https://nifi.apache.org/security.html <https://nifi.apache.org/security.html> page has been \
updated with 1 vulnerability discovered in previous NiFi versions which has been resolved in \
release 1.11.1. The severity of this issue was determined to be ‘important'. Questions about \
this vulnerability can be directed to security@nifi.apache.org \
<mailto:security@nifi.apache.org>.

CVE-2020-1942: Apache NiFi information disclosure in logs

Severity: Important

Versions Affected: Apache NiFi 0.0.1 - 1.11.0

Description: The flow fingerprint factory generated flow fingerprints which included sensitive \
property descriptor values. In the event a node attempted to join a cluster and the cluster \
flow was not inheritable, the flow fingerprint of both the cluster and local flow was printed, \
potentially containing sensitive values in plaintext.

Mitigation: Implemented Argon2 secure hashing to provide a deterministic loggable value which \
does not reveal the sensitive value. Users running any previous NiFi release should upgrade to \
the latest release.

Released: February 4, 2020

If you identify new security issues within the NiFi 1.11.1 release, please forward your report \
to security@nifi.apache.org <mailto:security@nifi.apache.org> and do not disclose the issue \
publicly. The security vulnerability reporting and disclosure process can be found here: \
https://www.apache.org/security/committers.html \
<https://www.apache.org/security/committers.html>.

Andy LoPresto
alopresto@apache.org
alopresto.apache@gmail.com
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic