Ganesh You and/or another person in your email were replied to already on the proper alias which is the security alias.
In any event since we are now also here we will share the same message Me: We regularly perform such scans as well. If we confirm we use a vulnerable library in a way that exposes the vulnerability we act quickly to resolve. We generally do not backport to older lines and instead continually improve the release going forward. The current release is 1.15 and we are working on 1.16. Apache Security/Mark: Outdated dependencies are not always security issues. A project would only be affected if a dependency was used in such a way that the affected underlying code is used and the vulnerabilities were exposed. We typically get reports sent to us from scanning tools that looks at dependencies out of context on how they are actually used in the projects. As such we reject these reports and suggest you either a) show how the product is affected by the dependency vulnerabilities, or b) simply mention this as a normal bug report to that project. Since dependency vulnerabilities are quite public, there is no need to use this private reporting mechanism for them. Thanks On Sun, Dec 12, 2021 at 10:08 PM Ganesh, B (Nokia - IN/Bangalore) < b.gan...@nokia.com> wrote: > Hi , > > As part of upgrade from nifi-1.13.2 to nifi-1.14.0 we performed scans on > nifi 1.14.0 and as a result there are few critical and high vulnerabilities > . > > Critical vulnerabilities > > *Vulnerability Id* > > *Severity * > > *path* > > *Fix available * > > *Link * > > CVE-2017-7657 > > Critical > > /opt/nifi/lib/jetty-schemas-3.1.jar > > None > > NVD - CVE-2017-7657 (nist.gov) > <https://nvd.nist.gov/vuln/detail/CVE-2017-7657> > > CVE-2017-7658 > > Critical > > /opt/nifi/lib/jetty-schemas-3.1.jar > > None > > https://nvd.nist.gov/vuln/detail/CVE-2017-7658 > > CVE-2019-12415 > > Critical > > /opt/nifi/lib/nifi-nar-utils-1.14.0.jar > > None > > > https://anchore.int.net.nokia.com:443/v1/query/vulnerabilities?id=VULNDB-216029 > > > > High Vulnerabilities > > > > *Vulnerability Id* > > *Severity * > > *path* > > *Fix available * > > *Link * > > CVE-2017-7656 > > High > > /opt/nifi/lib/jetty-schemas-3.1.jar > > None > > https://nvd.nist.gov/vuln/detail/CVE-2009-5045 > > CVE-2017-9735 > > High > > /opt/nifi/lib/jetty-schemas-3.1.jar > > None > > https://nvd.nist.gov/vuln/detail/CVE-2017-9735 > > CVE-2020-27216 > > High > > /opt/nifi/lib/jetty-schemas-3.1.jar > > None > > https://nvd.nist.gov/vuln/detail/CVE-2020-27216 > > VULNDB-256815 > > High > > /opt/nifi-toolkit/lib/commons-compress-1.20.jar > > None > > https://repo1.dso.mil/dsop/opensource/apache/nifi/-/issues/13 > > VULNDB-257084 > > High > > /opt/nifi-toolkit/lib/commons-compress-1.20.jar > > None > > https://repo1.dso.mil/dsop/opensource/apache/nifi/-/issues/13 > > > > > > One or two vulnerabilities are fixed in 1.15 example CVE-2020-17521 : > https://issues.apache.org/jira/browse/NIFI-8990. > > > > Could you please help us the impact and fix version or possibility of > fixing in 1.14 it self ? > > > > Thanks & Regards, > > Ganesh.B > > >
