As noted, that specific CVE is addressed already on the 1.x line as of 1.26. There are no plans to backport that to older 1.x lines.
However, if you're scanning versions there are a number of noted vulnerabilities of differing levels that impact the 1.x line related to Spring/Spring Security/Jetty/etc.. components which cannot be addressed on the 1.x line. They are however all addressed in 2.x Thanks On Thu, Oct 3, 2024 at 1:05 PM Chirthani, Deepak Reddy < [email protected]> wrote: > Micheal, > > > > Upgrading Apache Nifi to 1.26.0 or higher is the only solution or do you > think we can update the spring framework dependencies? Also which will be > effective solution? > > > > Thanks > > > > *[image: image005]* > > *Deepak Reddy* | Data Engineer > IT Centers of Excellence > 13736 Riverport Dr., Maryland Heights, MO 63043 > > > > *From:* Michael Moser <[email protected]> > *Sent:* Wednesday, October 2, 2024 12:28 PM > *To:* [email protected] > *Cc:* Chirthani, Deepak Reddy <[email protected]> > *Subject:* [EXTERNAL] Re: cve-2024-22243 > > > > CAUTION: The e-mail below is from an external source. Please exercise > caution before opening attachments, clicking links, or following guidance. > > > > Each Apache NiFi release tends to upgrade several dependencies, so from a > security standpoint we always recommend using the latest version. > > > > For that specific CVE, however, you will want to use NiFi version 1.26.0 > or higher. > > > > Regards, > > -- Mike > > > > > > On Wed, Oct 2, 2024 at 10:19 AM Chirthani, Deepak Reddy < > [email protected]> wrote: > > Hi, > > > > Wanted to know to resolve the cve-2024-22243 on Nifi on-prem clusters with > version 1.21.0. Any inputs/advises are appreciated. > > > > Thanks > > The contents of this e-mail message and any attachments are intended > solely for the addressee(s) and may contain confidential and/or legally > privileged information. If you are not the intended recipient of this > message or if this message has been addressed to you in error, please > immediately alert the sender by reply e-mail and then delete this message > and any attachments. If you are not the intended recipient, you are > notified that any use, dissemination, distribution, copying, or storage of > this message or any attachment is strictly prohibited. > > The contents of this e-mail message and any attachments are intended > solely for the addressee(s) and may contain confidential and/or legally > privileged information. If you are not the intended recipient of this > message or if this message has been addressed to you in error, please > immediately alert the sender by reply e-mail and then delete this message > and any attachments. If you are not the intended recipient, you are > notified that any use, dissemination, distribution, copying, or storage of > this message or any attachment is strictly prohibited. >
