Description

In Apache NiFi 1.2.0 to 1.11.4, the NiFi UI and API were protected by mandating TLS v1.2, as well as listening connections established by processors like ListenHTTP, HandleHttpRequest, etc. However intracluster communication such as cluster request replication, Site-to-Site, and load balanced queues continued to support TLS v1.0 or v1.1.

Remediation

References

https://nifi.apache.org/security#CVE-2020-9491

https://lists.apache.org/thread.html/re48582efe2ac973f8cff55c8b346825cb491c71935e15ab2d61ef3bf%40%3Ccommits.nifi.apache.org%3E

https://lists.apache.org/thread.html/r2d9c21f9ec35d66f2bb42f8abe876dabd786166b6284e9a33582c718%40%3Ccommits.nifi.apache.org%3E

Related Vulnerabilities

CVE-2020-11969 Vulnerability in maven package org.apache.tomee:openejb-core

CVE-2022-1415 Vulnerability in maven package org.drools:drools-compiler

CVE-2023-32325 Vulnerability in npm package posthog-js

CVE-2011-1184 Vulnerability in maven package org.apache.tomcat:catalina

CVE-2020-1717 Vulnerability in maven package org.keycloak:keycloak-parent

Severity

High

Classification

CWE-327 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory