[
https://issues.apache.org/jira/browse/NIFI-9675?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17496420#comment-17496420
]
Grant Cotton commented on NIFI-9675:
------------------------------------
These two vulnerabilities also apply to NiFi Registry (1.15.3) and Nifi Toolkit
(1.15.3)
> Upgrade H2 to 2.1.210 to mitigate Critical CVEs
> -----------------------------------------------
>
> Key: NIFI-9675
> URL: https://issues.apache.org/jira/browse/NIFI-9675
> Project: Apache NiFi
> Issue Type: Improvement
> Reporter: Raman N
> Priority: Major
>
> In H2 versions used in Apache NiFi; following vulnerabilities are detected by
> Trivy:
> [https://nvd.nist.gov/vuln/detail/CVE-2021-42392]
> [https://nvd.nist.gov/vuln/detail/CVE-2022-23221]
> These CVEs can be fixed by upgrading *h2* version to 2.1.210
> *CVE-2021-42392:*
> {code:java}
> {
> "VulnerabilityID": "CVE-2021-42392",
> "PkgName": "com.h2database:h2",
> "PkgPath": "opt/nifi/nifi-toolkit-current/lib/h2-1.4.199.jar",
> "InstalledVersion": "1.4.199",
> "FixedVersion": "2.0.206",
> "Layer": {
> "Digest":
> "sha256:4e4453b0591c2445b47576e4a8721ccc1bb1e7312c9f78c6c0f7fdbddad2a0f3",
> "DiffID":
> "sha256:5e21f394214906c7864139895d26d2dae021b68493693c633f5f9b0a690ae2b2"
> },
> "SeveritySource": "ghsa-maven",
> "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-42392";,
> "Title": "h2: Remote Code Execution in Console",
> "Description": "The org.h2.util.JdbcUtils.getConnection method of
> the H2 database takes as parameters the class name of the driver and URL of
> the database. An attacker may pass a JNDI driver name and a URL leading to a
> LDAP or RMI servers, causing remote code execution. This can be exploited
> through various attack vectors, most notably through the H2 Console which
> leads to unauthenticated remote code execution.",
> "Severity": "CRITICAL",
> "CweIDs": [
> "CWE-502"
> ],
> "CVSS": {
> "nvd": {
> "V2Vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
> "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
> "V2Score": 10,
> "V3Score": 9.8
> },
> "redhat": {
> "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
> "V3Score": 7.1
> }
> } ...
> {code}
> *CVE-2022-23221:*
> {code:java}
> {
> "VulnerabilityID": "CVE-2022-23221",
> "PkgName": "com.h2database:h2",
> "PkgPath": "opt/nifi/nifi-toolkit-current/lib/h2-1.4.199.jar",
> "InstalledVersion": "1.4.199",
> "FixedVersion": "2.1.210",
> "Layer": {
> "Digest":
> "sha256:4e4453b0591c2445b47576e4a8721ccc1bb1e7312c9f78c6c0f7fdbddad2a0f3",
> "DiffID":
> "sha256:5e21f394214906c7864139895d26d2dae021b68493693c633f5f9b0a690ae2b2"
> },
> "SeveritySource": "ghsa-maven",
> "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-23221";,
> "Title": "h2: Loading of custom classes from remote servers through
> JNDI",
> "Description": "H2 Console before 2.1.210 allows remote attackers
> to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the
> IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring,
> a different vulnerability than CVE-2021-42392.",
> "Severity": "CRITICAL",
> "CweIDs": [
> "CWE-94"
> ],
> "CVSS": {
> "nvd": {
> "V2Vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
> "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
> "V2Score": 10,
> "V3Score": 9.8
> },
> "redhat": {
> "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
> "V3Score": 8.1
> }
> },..
> {code}
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
