[nifi-site] 14/16: NIFI-11654 Published CVE-2023-34212 and CVE-2023-34468

Fri, 23 Jun 2023 19:56:57 -0700 

This is an automated email from the ASF dual-hosted git repository.

exceptionfactory pushed a commit to branch main-staging
in repository https://gitbox.apache.org/repos/asf/nifi-site.git

commit 3369e2f006a98341c312a6dd241c641f03f5d392
Author: exceptionfactory <exceptionfact...@apache.org>
AuthorDate: Mon Jun 12 09:20:27 2023 -0500

    NIFI-11654 Published CVE-2023-34212 and CVE-2023-34468
    
    (cherry picked from commit 8f264d9f71fa3b47c673c3100aa0e2e7481de424)
---
 source/security.html | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 62 insertions(+)

diff --git a/source/security.html b/source/security.html
index bdecd15..dce4ad5 100644
--- a/source/security.html
+++ b/source/security.html
@@ -66,6 +66,67 @@ title: Apache NiFi Security Reports
     </div>
 </div>
 <div class="medium-space"></div>
+
+<div class="row">
+    <div class="large-12 columns features">
+        <h2><a id="1.22.0" href="#1.22.0">Fixed in Apache NiFi 1.22.0</a></h2>
+    </div>
+</div>
+<!-- Vulnerabilities -->
+<div class="row">
+    <div class="large-12 columns features">
+        <h2><a id="1.22.0-vulnerabilities" 
href="#1.22.0-vulnerabilities">Vulnerabilities</a></h2>
+    </div>
+</div>
+<div class="row" style="background-color: aliceblue">
+    <div class="large-12 columns">
+        <p><a id="CVE-2023-34468" 
href="#CVE-2023-34468"><strong>CVE-2023-34468</strong></a>: Potential Code 
Injection with Database Services using H2</p>
+        <p>Severity: <strong>Important</strong></p>
+        <p>Versions Affected:</p>
+        <ul>
+            <li>Apache NiFi 0.0.2 - 1.21.0</li>
+        </ul>
+        </p>
+        <p>The DBCPConnectionPool and HikariCPConnectionPool Controller 
Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and 
authorized user to configure a Database URL with the H2 driver that enables 
custom code execution.</p>
+        <p>The resolution validates the Database URL and rejects H2 JDBC 
locations.</p>
+        <p>Mitigation: Upgrading to NiFi 1.22.0 disables H2 JDBC URLs in the 
default configuration.</p>
+        <p>Credit: This issue was discovered by Matei "Mal" Badanoiu</p>
+        <p>CVE Link: <a 
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34468"; 
target="_blank">Mitre Database CVE-2023-34468</a></p>
+        <p>
+            NiFi Jira: <a 
href="https://issues.apache.org/jira/browse/NIFI-11653"; 
target="_blank">NIFI-11653</a>
+        </p>
+        <p>
+            NiFi PR: <a href="https://github.com/apache/nifi/pull/7349"; 
target="_blank">PR 7349</a>
+        </p>
+        <p>Released: 2023-06-12</p>
+    </div>
+</div>
+<div class="small-space"></div>
+<div class="row" style="background-color: aliceblue">
+    <div class="large-12 columns">
+        <p><a id="CVE-2023-34212" 
href="#CVE-2023-34212"><strong>CVE-2023-34212</strong></a>: Potential 
Deserialization of Untrusted Data with JNDI in JMS Components</p>
+        <p>Severity: <strong>Important</strong></p>
+        <p>Versions Affected:</p>
+        <ul>
+            <li>Apache NiFi 1.8.0 - 1.21.0</li>
+        </ul>
+        </p>
+        <p>The JndiJmsConnectionFactoryProvider Controller Service along with 
the ConsumeJMS and PublishJMS Processors, in Apache NiFi 1.8.0 through 1.21.0 
allow an authenticated and authorized user to configure URL and library 
properties that enable deserialization of untrusted data from a remote 
location.</p>
+        <p>The resolution validates the JNDI URL and restricts locations to a 
set of allowed schemes.</p>
+        <p>Mitigation: Upgrading to NiFi 1.22.0 disables LDAP for JNDI URLs in 
the default configuration.</p>
+        <p>Credit: This issue was discovered by Veraxy00 of Qianxin TI Center 
and also reported by Matei "Mal" Badanoiu</p>
+        <p>CVE Link: <a 
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34212"; 
target="_blank">Mitre Database CVE-2023-34212</a></p>
+        <p>
+            NiFi Jira: <a 
href="https://issues.apache.org/jira/browse/NIFI-11614"; 
target="_blank">NIFI-11614</a>
+        </p>
+        <p>
+            NiFi PR: <a href="https://github.com/apache/nifi/pull/7313"; 
target="_blank">PR 7313</a>
+        </p>
+        <p>Released: 2023-06-12</p>
+    </div>
+</div>
+<div class="medium-space"></div>
+
 <div class="row">
     <div class="large-12 columns features">
         <h2><a id="1.20.0" href="#1.20.0">Fixed in Apache NiFi 1.20.0</a></h2>
@@ -77,6 +138,7 @@ title: Apache NiFi Security Reports
         <h2><a id="1.20.0-vulnerabilities" 
href="#1.20.0-vulnerabilities">Vulnerabilities</a></h2>
     </div>
 </div>
+<div class="medium-space"></div>
 <div class="row" style="background-color: aliceblue">
     <div class="large-12 columns">
         <p><a id="CVE-2023-22832" 
href="#CVE-2023-22832"><strong>CVE-2023-22832</strong></a>: Improper 
Restriction of XML External Entity References in ExtractCCDAAttributes</p>

Reply via email to