[nifi] branch master updated: NIFI-7082 Updated tls-toolkit default server and client certificates validity days to 825 days. (#4046)
This is an automated email from the ASF dual-hosted git repository. alopresto pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/master by this push: new 8faea04 NIFI-7082 Updated tls-toolkit default server and client certificates validity days to 825 days. (#4046) 8faea04 is described below commit 8faea04ff13b847fa2065ed127273d706be89064 Author: M Tien <56892372+mtien-apa...@users.noreply.github.com> AuthorDate: Mon Feb 10 20:22:49 2020 -0500 NIFI-7082 Updated tls-toolkit default server and client certificates validity days to 825 days. (#4046) Signed-off-by: Andy LoPresto --- .../nifi-toolkit-assembly/src/main/resources/conf/config-client.json| 2 +- .../nifi-toolkit-assembly/src/main/resources/conf/config-server.json| 2 +- .../main/java/org/apache/nifi/toolkit/tls/configuration/TlsConfig.java | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/nifi-toolkit/nifi-toolkit-assembly/src/main/resources/conf/config-client.json b/nifi-toolkit/nifi-toolkit-assembly/src/main/resources/conf/config-client.json index e572bc1..ea0d333 100644 --- a/nifi-toolkit/nifi-toolkit-assembly/src/main/resources/conf/config-client.json +++ b/nifi-toolkit/nifi-toolkit-assembly/src/main/resources/conf/config-client.json @@ -7,7 +7,7 @@ "caHostname" : "localhost", "trustStore" : "clientTrustStore", "trustStoreType" : "jks", - "days" : 1095, + "days" : 825, "keySize" : 2048, "keyPairAlgorithm" : "RSA", "signingAlgorithm" : "SHA256WITHRSA" diff --git a/nifi-toolkit/nifi-toolkit-assembly/src/main/resources/conf/config-server.json b/nifi-toolkit/nifi-toolkit-assembly/src/main/resources/conf/config-server.json index fae89ed..8044a6d 100644 --- a/nifi-toolkit/nifi-toolkit-assembly/src/main/resources/conf/config-server.json +++ b/nifi-toolkit/nifi-toolkit-assembly/src/main/resources/conf/config-server.json @@ -4,7 +4,7 @@ "token" : "myTestTokenUseSomethingStronger", "caHostname" : "localhost", "port" : 8443, - "days" : 1095, + "days" : 825, "keySize" : 2048, "keyPairAlgorithm" : "RSA", "signingAlgorithm" : "SHA256WITHRSA" diff --git a/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/configuration/TlsConfig.java b/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/configuration/TlsConfig.java index 5e440a7..2b7f8a1 100644 --- a/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/configuration/TlsConfig.java +++ b/nifi-toolkit/nifi-toolkit-tls/src/main/java/org/apache/nifi/toolkit/tls/configuration/TlsConfig.java @@ -28,7 +28,7 @@ public class TlsConfig { public static final String DEFAULT_HOSTNAME = "localhost"; public static final String DEFAULT_KEY_STORE_TYPE = "jks"; public static final int DEFAULT_PORT = 8443; -public static final int DEFAULT_DAYS = 3 * 365; +public static final int DEFAULT_DAYS = 825; public static final int DEFAULT_KEY_SIZE = 2048; public static final String DEFAULT_KEY_PAIR_ALGORITHM = "RSA"; public static final String DEFAULT_SIGNING_ALGORITHM = "SHA256WITHRSA";
svn commit: r1873874 - /nifi/site/trunk/security.html
Author: alopresto Date: Mon Feb 10 20:38:10 2020 New Revision: 1873874 URL: http://svn.apache.org/viewvc?rev=1873874=rev Log: Reconciled severity levels and fixed row formatting. Modified: nifi/site/trunk/security.html Modified: nifi/site/trunk/security.html URL: http://svn.apache.org/viewvc/nifi/site/trunk/security.html?rev=1873874=1873873=1873874=diff == --- nifi/site/trunk/security.html (original) +++ nifi/site/trunk/security.html Mon Feb 10 20:38:10 2020 @@ -192,14 +192,14 @@ -CVE-2020-1928: Apache NiFi information disclosure by debug logging +CVE-2020-1928: Apache NiFi information disclosure in logs Severity: Moderate Versions Affected: Apache NiFi 1.10.0 -Description: The sensitive parameter parser would log parsed values for debugging purposes. This would expose literal values entered in a sensitive property when no parameter was present. +Description: The sensitive parameter parser would log parsed property descriptor values for debugging purposes. This would expose literal values entered in a sensitive property when no parameter was present. Mitigation: Removed debug logging from the class. Users running the 1.10.0 release should upgrade to the latest release. Credit: This issue was discovered by Andy LoPresto. CVE Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1928; target="_blank">Mitre Database: CVE-2020-1928 @@ -211,7 +211,7 @@ CVE-2020-1933: Apache NiFi XSS attack -Severity: High +Severity: Important Versions Affected: Apache NiFi 1.0.0 - 1.10.0 @@ -232,10 +232,10 @@ Dependency Vulnerabilities - + CVE-2019-10768: Apache NiFi's AngularJS usage -Severity: High +Severity: Important Versions Affected: Apache NiFi 1.8.0 - 1.10.0 @@ -325,7 +325,7 @@ CVE-2017-5637, CVE-2016-5017, CVE-2018-8012: Apache NiFi's Zookeeper usage -Severity: High +Severity: Important Versions Affected: Apache NiFi 1.0.0 - 1.9.2 @@ -473,13 +473,13 @@ CVE-2018-17195: Apache NiFi CSRF vulnerability in template upload API -Severity: Severe +Severity: Critical Versions Affected: Apache NiFi 1.0.0 - 1.7.1 -Description: The template upload API endpoint accepted requests from different domain when sent in conjunction with ARP spoofing + meddler in the middle (MITM) attack, resulting in a CSRF attack. The required attack vector is complex, requiring a scenario with client certificate authentication, same subnet access, and injecting malicious code into an unprotected (plaintext HTTP) website which the targeted user later visits, but the possible damage warranted a Severe severity level. +Description: The template upload API endpoint accepted requests from different domain when sent in conjunction with ARP spoofing + meddler in the middle (MITM) attack, resulting in a CSRF attack. The required attack vector is complex, requiring a scenario with client certificate authentication, same subnet access, and injecting malicious code into an unprotected (plaintext HTTP) website which the targeted user later visits, but the possible damage warranted a Critical severity level. Mitigation: The fix to apply Cross-Origin Resource Sharing (CORS) policy request filtering was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release. Credit: This issue was discovered by Mike Cole. CVE Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17195; target="_blank">Mitre Database: CVE-2018-17195 @@ -599,7 +599,7 @@ CVE-2018-7489, CVE-2017-7525, and CVE-2017-15095: Apache NiFi dependency vulnerability in FasterXML Jackson -Severity: Severe +Severity: Critical Versions Affected: Apache NiFi 0.1.0 - 1.6.0 @@ -691,7 +691,7 @@ CVE-2017-8028: Apache NiFi LDAP TLS issue because of Spring Security LDAP vulnerability -Severity: Severe +Severity: Critical Versions Affected: Apache NiFi 0.1.0 - 1.5.0
[nifi-site] branch master updated: Reconciled differing severity levels and fixed row formatting.
This is an automated email from the ASF dual-hosted git repository. alopresto pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/nifi-site.git The following commit(s) were added to refs/heads/master by this push: new 351d43a Reconciled differing severity levels and fixed row formatting. 351d43a is described below commit 351d43abc780e2ff02b02a1e32bf15e4f88bfdb5 Author: Andy LoPresto AuthorDate: Mon Feb 10 12:37:24 2020 -0800 Reconciled differing severity levels and fixed row formatting. --- src/pages/html/security.hbs | 20 ++-- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/src/pages/html/security.hbs b/src/pages/html/security.hbs index 8132837..c4c4705 100644 --- a/src/pages/html/security.hbs +++ b/src/pages/html/security.hbs @@ -88,14 +88,14 @@ title: Apache NiFi Security Reports -CVE-2020-1928: Apache NiFi information disclosure by debug logging +CVE-2020-1928: Apache NiFi information disclosure in logs Severity: Moderate Versions Affected: Apache NiFi 1.10.0 -Description: The sensitive parameter parser would log parsed values for debugging purposes. This would expose literal values entered in a sensitive property when no parameter was present. +Description: The sensitive parameter parser would log parsed property descriptor values for debugging purposes. This would expose literal values entered in a sensitive property when no parameter was present. Mitigation: Removed debug logging from the class. Users running the 1.10.0 release should upgrade to the latest release. Credit: This issue was discovered by Andy LoPresto. CVE Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1928; target="_blank">Mitre Database: CVE-2020-1928 @@ -107,7 +107,7 @@ title: Apache NiFi Security Reports CVE-2020-1933: Apache NiFi XSS attack -Severity: High +Severity: Important Versions Affected: Apache NiFi 1.0.0 - 1.10.0 @@ -128,10 +128,10 @@ title: Apache NiFi Security Reports Dependency Vulnerabilities - + CVE-2019-10768: Apache NiFi's AngularJS usage -Severity: High +Severity: Important Versions Affected: Apache NiFi 1.8.0 - 1.10.0 @@ -221,7 +221,7 @@ title: Apache NiFi Security Reports CVE-2017-5637, CVE-2016-5017, CVE-2018-8012: Apache NiFi's Zookeeper usage -Severity: High +Severity: Important Versions Affected: Apache NiFi 1.0.0 - 1.9.2 @@ -369,13 +369,13 @@ title: Apache NiFi Security Reports CVE-2018-17195: Apache NiFi CSRF vulnerability in template upload API -Severity: Severe +Severity: Critical Versions Affected: Apache NiFi 1.0.0 - 1.7.1 -Description: The template upload API endpoint accepted requests from different domain when sent in conjunction with ARP spoofing + meddler in the middle (MITM) attack, resulting in a CSRF attack. The required attack vector is complex, requiring a scenario with client certificate authentication, same subnet access, and injecting malicious code into an unprotected (plaintext HTTP) website which the targeted user later visits, but the possible damage warranted a SevereDescription: The template upload API endpoint accepted requests from different domain when sent in conjunction with ARP spoofing + meddler in the middle (MITM) attack, resulting in a CSRF attack. The required attack vector is complex, requiring a scenario with client certificate authentication, same subnet access, and injecting malicious code into an unprotected (plaintext HTTP) website which the targeted user later visits, but the possible damage warranted a Critical< [...] Mitigation: The fix to apply Cross-Origin Resource Sharing (CORS) policy request filtering was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release. Credit: This issue was discovered by Mike Cole. CVE Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17195; target="_blank">Mitre Database: CVE-2018-17195 @@ -495,7 +495,7 @@ title: Apache NiFi Security Reports CVE-2018-7489, CVE-2017-7525, and CVE-2017-15095: Apache NiFi dependency vulnerability in FasterXML Jackson -Severity: Severe +Severity: Critical Versions Affected: Apache NiFi 0.1.0 - 1.6.0 @@ -587,7 +587,7 @@ title: Apache NiFi Security Reports CVE-2017-8028: Apache NiFi LDAP TLS issue because of Spring Security LDAP vulnerability -Severity: Severe +Severity: Critical Versions Affected: Apache NiFi 0.1.0 - 1.5.0
svn commit: r1873872 - /nifi/site/trunk/security.html
Author: alopresto Date: Mon Feb 10 20:32:51 2020 New Revision: 1873872 URL: http://svn.apache.org/viewvc?rev=1873872=rev Log: Added 1.11.1 CVE updates to security page. Modified: nifi/site/trunk/security.html Modified: nifi/site/trunk/security.html URL: http://svn.apache.org/viewvc/nifi/site/trunk/security.html?rev=1873872=1873871=1873872=diff == --- nifi/site/trunk/security.html (original) +++ nifi/site/trunk/security.html Mon Feb 10 20:32:51 2020 @@ -151,6 +151,36 @@ +Fixed in Apache NiFi 1.11.1 + + + + + +Vulnerabilities + + + + +CVE-2020-1942: Apache NiFi information disclosure in logs +Severity: Important +Versions Affected: + +Apache NiFi 0.0.1 - 1.11.0 + + +Description: The flow fingerprint factory generated flow fingerprints which included sensitive property descriptor values. In the event a node attempted to join a cluster and the cluster flow was not inheritable, the flow fingerprint of both the cluster and local flow was printed, potentially containing sensitive values in plaintext. +Mitigation: Implemented Argon2 secure hashing to provide a deterministic loggable value which does not reveal the sensitive value. Users running any previous NiFi release should upgrade to the latest release. +Credit: This issue was discovered by Andy LoPresto. +CVE Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1942; target="_blank">Mitre Database: CVE-2020-1942 +NiFi Jira: https://issues.apache.org/jira/browse/NIFI-7079; target="_blank">NIFI-7079 +NiFi PR: https://github.com/apache/nifi/pull/4028; target="_blank">PR 4208 +Released: February 4, 2020 + + + + + Fixed in Apache NiFi 1.11.0
[nifi-site] branch master updated: Added 1.11.1 CVE updates to security page.
This is an automated email from the ASF dual-hosted git repository. alopresto pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/nifi-site.git The following commit(s) were added to refs/heads/master by this push: new 66adafb Added 1.11.1 CVE updates to security page. 66adafb is described below commit 66adafbcbac511fd072ed0b73e3bb548ac9c8025 Author: Andy LoPresto AuthorDate: Mon Feb 10 12:30:29 2020 -0800 Added 1.11.1 CVE updates to security page. --- src/pages/html/security.hbs | 30 ++ 1 file changed, 30 insertions(+) diff --git a/src/pages/html/security.hbs b/src/pages/html/security.hbs index a75d640..8132837 100644 --- a/src/pages/html/security.hbs +++ b/src/pages/html/security.hbs @@ -47,6 +47,36 @@ title: Apache NiFi Security Reports +Fixed in Apache NiFi 1.11.1 + + + + + +Vulnerabilities + + + + +CVE-2020-1942: Apache NiFi information disclosure in logs +Severity: Important +Versions Affected: + +Apache NiFi 0.0.1 - 1.11.0 + + +Description: The flow fingerprint factory generated flow fingerprints which included sensitive property descriptor values. In the event a node attempted to join a cluster and the cluster flow was not inheritable, the flow fingerprint of both the cluster and local flow was printed, potentially containing sensitive values in plaintext. +Mitigation: Implemented Argon2 secure hashing to provide a deterministic loggable value which does not reveal the sensitive value. Users running any previous NiFi release should upgrade to the latest release. +Credit: This issue was discovered by Andy LoPresto. +CVE Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1942; target="_blank">Mitre Database: CVE-2020-1942 +NiFi Jira: https://issues.apache.org/jira/browse/NIFI-7079; target="_blank">NIFI-7079 +NiFi PR: https://github.com/apache/nifi/pull/4028; target="_blank">PR 4208 +Released: February 4, 2020 + + + + + Fixed in Apache NiFi 1.11.0
[nifi] branch master updated: NIFI-7106 - Add parent name and parent path in SiteToSiteStatusReportingTask
This is an automated email from the ASF dual-hosted git repository. mattyb149 pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/nifi.git The following commit(s) were added to refs/heads/master by this push: new 58bcd6c NIFI-7106 - Add parent name and parent path in SiteToSiteStatusReportingTask 58bcd6c is described below commit 58bcd6c5ddc1989e99b5630b89f413ef4726b4a0 Author: Pierre Villard AuthorDate: Tue Feb 4 22:35:11 2020 -0500 NIFI-7106 - Add parent name and parent path in SiteToSiteStatusReportingTask Signed-off-by: Matthew Burgess This closes #4039 --- .../reporting/SiteToSiteStatusReportingTask.java | 62 +- .../additionalDetails.html | 2 + .../src/main/resources/schema-status.avsc | 2 + .../TestSiteToSiteStatusReportingTask.java | 5 ++ 4 files changed, 46 insertions(+), 25 deletions(-) diff --git a/nifi-nar-bundles/nifi-site-to-site-reporting-bundle/nifi-site-to-site-reporting-task/src/main/java/org/apache/nifi/reporting/SiteToSiteStatusReportingTask.java b/nifi-nar-bundles/nifi-site-to-site-reporting-bundle/nifi-site-to-site-reporting-task/src/main/java/org/apache/nifi/reporting/SiteToSiteStatusReportingTask.java index 2466827..31009f8 100644 --- a/nifi-nar-bundles/nifi-site-to-site-reporting-bundle/nifi-site-to-site-reporting-task/src/main/java/org/apache/nifi/reporting/SiteToSiteStatusReportingTask.java +++ b/nifi-nar-bundles/nifi-site-to-site-reporting-bundle/nifi-site-to-site-reporting-task/src/main/java/org/apache/nifi/reporting/SiteToSiteStatusReportingTask.java @@ -94,6 +94,7 @@ public class SiteToSiteStatusReportingTask extends AbstractSiteToSiteReportingTa private volatile Pattern componentTypeFilter; private volatile Pattern componentNameFilter; +private volatile Map processGroupIDToPath; public SiteToSiteStatusReportingTask() throws IOException { final InputStream schema = getClass().getClassLoader().getResourceAsStream("schema-status.avsc"); @@ -122,6 +123,9 @@ public class SiteToSiteStatusReportingTask extends AbstractSiteToSiteReportingTa componentTypeFilter = Pattern.compile(context.getProperty(COMPONENT_TYPE_FILTER_REGEX).evaluateAttributeExpressions().getValue()); componentNameFilter = Pattern.compile(context.getProperty(COMPONENT_NAME_FILTER_REGEX).evaluateAttributeExpressions().getValue()); +// initialize the map +processGroupIDToPath = new HashMap(); + final ProcessGroupStatus procGroupStatus = context.getEventAccess().getControllerStatus(); final String rootGroupName = procGroupStatus == null ? null : procGroupStatus.getName(); @@ -145,8 +149,8 @@ public class SiteToSiteStatusReportingTask extends AbstractSiteToSiteReportingTa df.setTimeZone(TimeZone.getTimeZone("Z")); final JsonArrayBuilder arrayBuilder = factory.createArrayBuilder(); -serializeProcessGroupStatus(arrayBuilder, factory, procGroupStatus, df, hostname, rootGroupName, -platform, null, new Date(), allowNullValues); +serializeProcessGroupStatus(arrayBuilder, factory, procGroupStatus, df, +hostname, rootGroupName, platform, null, new Date(), allowNullValues); final JsonArray jsonArray = arrayBuilder.build(); @@ -230,22 +234,26 @@ public class SiteToSiteStatusReportingTask extends AbstractSiteToSiteReportingTa *The root process group name * @param platform *The configured platform - * @param parentId - *The parent's component id + * @param parent + *The parent's process group status object * @param currentDate *The current date * @param allowNullValues *Allow null values */ private void serializeProcessGroupStatus(final JsonArrayBuilder arrayBuilder, final JsonBuilderFactory factory, -final ProcessGroupStatus status, final DateFormat df, -final String hostname, final String applicationName, final String platform, final String parentId, final Date currentDate, Boolean allowNullValues) { +final ProcessGroupStatus status, final DateFormat df, final String hostname, final String applicationName, +final String platform, final ProcessGroupStatus parent, final Date currentDate, Boolean allowNullValues) { final JsonObjectBuilder builder = factory.createObjectBuilder(); -final String componentType = (parentId == null) ? "RootProcessGroup" : "ProcessGroup"; +final String componentType = parent == null ? "RootProcessGroup" : "ProcessGroup"; final String componentName = status.getName(); +if(parent == null) { +processGroupIDToPath.put(status.getId(), "NiFi Flow"); +} + if (componentMatchesFilters(componentType, componentName)) { -
[nifi-minifi-cpp] branch master updated (455d4b3 -> cf74e97)
This is an automated email from the ASF dual-hosted git repository. aboda pushed a change to branch master in repository https://gitbox.apache.org/repos/asf/nifi-minifi-cpp.git. from 455d4b3 MINIFICPP-1047 Add property "Drop empty flow files" to PublishKafka add cf74e97 MINIFICPP-1147 Implemented. No new revisions were added by this update. Summary of changes: .../windows-event-log/ConsumeWindowsEventLog.cpp | 121 +++-- .../windows-event-log/ConsumeWindowsEventLog.h | 5 +- 2 files changed, 118 insertions(+), 8 deletions(-)
[nifi-minifi-cpp] branch master updated (dfbe225 -> 455d4b3)
This is an automated email from the ASF dual-hosted git repository. aboda pushed a change to branch master in repository https://gitbox.apache.org/repos/asf/nifi-minifi-cpp.git. from dfbe225 MINIFICPP-1150 Fix const-correctness of the non-virtual subset of FlowFile member functions add 455d4b3 MINIFICPP-1047 Add property "Drop empty flow files" to PublishKafka No new revisions were added by this update. Summary of changes: extensions/librdkafka/PublishKafka.cpp | 54 +++-- extensions/librdkafka/PublishKafka.h | 235 +++-- .../include/utils/{ScopeGuard.h => GeneralUtils.h} | 50 ++--- libminifi/include/utils/ScopeGuard.h | 2 +- 4 files changed, 180 insertions(+), 161 deletions(-) copy libminifi/include/utils/{ScopeGuard.h => GeneralUtils.h} (57%)
[nifi-minifi-cpp] branch master updated (6fba2b6 -> dfbe225)
This is an automated email from the ASF dual-hosted git repository. aboda pushed a change to branch master in repository https://gitbox.apache.org/repos/asf/nifi-minifi-cpp.git. from 6fba2b6 MINIFICPP-1148 ClientSocket: fix addrinfo lifetime add dfbe225 MINIFICPP-1150 Fix const-correctness of the non-virtual subset of FlowFile member functions No new revisions were added by this update. Summary of changes: libminifi/include/core/FlowFile.h | 32 libminifi/src/core/FlowFile.cpp | 21 ++--- 2 files changed, 26 insertions(+), 27 deletions(-)