Description

In Apache NiFi 1.2.0 to 1.11.4, the NiFi UI and API were protected by mandating TLS v1.2, as well as listening connections established by processors like ListenHTTP, HandleHttpRequest, etc. However intracluster communication such as cluster request replication, Site-to-Site, and load balanced queues continued to support TLS v1.0 or v1.1.

Remediation

References

https://lists.apache.org/thread.html/r2d9c21f9ec35d66f2bb42f8abe876dabd786166b6284e9a33582c718%40%3Ccommits.nifi.apache.org%3E

https://lists.apache.org/thread.html/re48582efe2ac973f8cff55c8b346825cb491c71935e15ab2d61ef3bf%40%3Ccommits.nifi.apache.org%3E

https://nifi.apache.org/security#CVE-2020-9491

Related Vulnerabilities

CVE-2021-22569 Vulnerability in maven package com.google.protobuf:protobuf-java

CVE-2020-13279 Vulnerability in npm package gitlab-workflow

CVE-2019-10373 Vulnerability in maven package org.jenkins-ci.plugins:build-pipeline-plugin

CVE-2023-0264 Vulnerability in maven package org.keycloak:keycloak-services

CVE-2023-40343 Vulnerability in maven package io.jenkins.plugins:tuleap-oauth

Severity

High

Classification

CWE-327 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory