Description
In Apache NiFi 1.2.0 to 1.11.4, the NiFi UI and API were protected by mandating TLS v1.2, as well as listening connections established by processors like ListenHTTP, HandleHttpRequest, etc. However intracluster communication such as cluster request replication, Site-to-Site, and load balanced queues continued to support TLS v1.0 or v1.1.
Remediation
References
https://lists.apache.org/thread.html/r2d9c21f9ec35d66f2bb42f8abe876dabd786166b6284e9a33582c718%40%3Ccommits.nifi.apache.org%3E
https://lists.apache.org/thread.html/re48582efe2ac973f8cff55c8b346825cb491c71935e15ab2d61ef3bf%40%3Ccommits.nifi.apache.org%3E
https://nifi.apache.org/security#CVE-2020-9491
Related Vulnerabilities
CVE-2020-6428 Vulnerability in npm package electron
CVE-2015-5345 Vulnerability in maven package org.apache.tomcat:tomcat-catalina
CVE-2014-3488 Vulnerability in maven package io.netty:netty
CVE-2022-36904 Vulnerability in maven package org.jenkins-ci.plugins:repository-connector
CVE-2023-41900 Vulnerability in maven package org.eclipse.jetty:jetty-openid