I second Tom's sentiment. It would be very much appreciated that we can go ahead and upgrade to stop the endless high prio Excel sheets with vulnerability scanner results showing our NiFi servers having the vulnerable library present on disk.
The Github pull requests mentions this: "The upgrade mitigates CVE-2022-42889, although Apache NiFi does not include any direct references to vulnerable instances of the StringLookup class." An official statement along those lines would also help, but after log4j it seems upgrading away the vulnerabilities is less work than managing scan results and waivers. Regards, Isha -----Oorspronkelijk bericht----- Van: Tom Coudyzer <tcdm...@gmail.com> Verzonden: vrijdag 21 oktober 2022 20:21 Aan: users@nifi.apache.org Onderwerp: Re: CVE-2022-42889 and impact on Apache Nifi Hi, Apologies if I posted through the wrong channels. Will have a look to the guidelines. Thanks 🙏 for sharing the pointers on the work that has been done! 1.18.1 could be a good idea I think as you say it would let people more comfortable as there is much noise around this CVE and the immediate conclusion that a patch is needed while it may be a product is not vulnerable to it although having the library as a dependency. Thanks again! /Tom > On 21 Oct 2022, at 20:10, Joe Witt <joe.w...@gmail.com> wrote: > > Tom > > In the future if you're concerned or have questions about a > vulnerability/potential vulnerability please follow the guidance here. > > https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnifi > .apache.org%2Fsecurity.html&data=05%7C01%7Cisha.lamboo%40virtualsc > iences.nl%7Cead4aedb1e194bf71e2608dab391076a%7C21429da9e4ad45f99a6fcd1 > 26a64274b%7C0%7C0%7C638019732721385842%7CUnknown%7CTWFpbGZsb3d8eyJWIjo > iMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C% > 7C%7C&sdata=fvlXGKvjL57mhwNFCuHFadP%2BBIb1bzpxojo9sf0yLCk%3D&r > eserved=0 > > Here you can see what we've done for this already on main > https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissu > es.apache.org%2Fjira%2Fbrowse%2FNIFI-10648&data=05%7C01%7Cisha.lam > boo%40virtualsciences.nl%7Cead4aedb1e194bf71e2608dab391076a%7C21429da9 > e4ad45f99a6fcd126a64274b%7C0%7C0%7C638019732721542087%7CUnknown%7CTWFp > bGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn > 0%3D%7C3000%7C%7C%7C&sdata=3ZcHs%2Fk%2BTq9KQNHUSuqgQs1snjqYA9UeqFA > ajWWD35A%3D&reserved=0 with more info in > https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgith > ub.com%2Fapache%2Fnifi%2Fpull%2F6531&data=05%7C01%7Cisha.lamboo%40 > virtualsciences.nl%7Cead4aedb1e194bf71e2608dab391076a%7C21429da9e4ad45 > f99a6fcd126a64274b%7C0%7C0%7C638019732721542087%7CUnknown%7CTWFpbGZsb3 > d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7 > C3000%7C%7C%7C&sdata=1FqnqsteyJJbYvfdu%2FVGs9L%2BJHsuaYVwwl2HP4ie% > 2Bvg%3D&reserved=0 > > It doesn't seem like it thus far but might be worth kicking out a > 1.18.1 just to help people feel more comfortable. Will share more if > that shapes up. > > Thanks > Joe > >> On Fri, Oct 21, 2022 at 10:50 AM Tom Coudyzer <tcdm...@gmail.com> wrote: >> >> Hi, >> >> I looked on the Apache Nifi site and linked sites to find information on how >> CVE-2022-42889 impacts Apache Nifi. >> >> I found an issue report and merge request which indicates the library >> Apache Commons Text has been upgraded to the patched version (1.10) >> and it will be part of v1.19.0 >> >> I could however not find when this version will be released. Could that be >> checked somewhere? >> >> Second question is if Nifi is impacted by this vulnerability because it >> could be that the usage of this library in Apache Nifi does not allow it to >> exploit this vulnerability. >> >> Thank you very much for any feedback and thank you to the open source >> community for having made Apache Nifi and maintaining/improving this product. >> >> /Tom