Hi David, Thanks very much for the detailed response, good to know this one shouldn't be a problem for NiFi.
Cheers, Tristan On Fri, Apr 1, 2022 at 1:15 PM David Handermann <exceptionfact...@apache.org> wrote: > Hi Tristan, > > Although NiFi 1.15.3 and earlier include Spring Framework libraries > identified with CVE-2022-22965, initial research suggests that NiFi is not > impacted. > > NiFi and NiFi Registry use Jetty, whereas the vulnerability requires > running applications on Apache Tomcat. The vulnerability also involves data > binding connected with spring-webmvc and spring-webflux, but NiFi uses > JAX-RS with Jersey for REST request handling. If further research uncovers > additional attack vectors, that could change the analysis. > > NiFi has already upgraded the current main branch to use Spring Framework > 5.3.18 and Spring Boot 2.6.6, which will be incorporated in upcoming > releases. > > Please see the following NiFi Jira issue for additional details regarding > the upgrade and background on the vulnerability: > > https://issues.apache.org/jira/browse/NIFI-9852 > > Regards, > David Handermann > > On Thu, Mar 31, 2022 at 7:38 PM Tristan Steele <trste...@redhat.com> > wrote: > > > Good Day, > > > > I've been reading through some of the information that is now available > > about the recently reported remote code execution vulnerability in the > > Spring framework and it appears that a vulnerable version of this library > > is part of the 1.15.3 release? > > > > Is it known yet if this library is used in a way that makes it vulnerable > > to exploitation? Will there likely be a new release that updates this > > dependency to one that is not affected? > > > > Thanks in advance for any assistance on this one, > > Tristan > > >
