From dev-return-16339-archive-asf-public=cust-asf.ponee.io@nifi.apache.org Thu Jan 25 20:56:40 2018 Return-Path: X-Original-To: archive-asf-public@eu.ponee.io Delivered-To: archive-asf-public@eu.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by mx-eu-01.ponee.io (Postfix) with ESMTP id 1F65F180651 for ; Thu, 25 Jan 2018 20:56:40 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 0F647160C17; Thu, 25 Jan 2018 19:56:40 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 32B4D160C4F for ; Thu, 25 Jan 2018 20:56:39 +0100 (CET) Received: (qmail 83615 invoked by uid 500); 25 Jan 2018 19:56:38 -0000 Mailing-List: contact dev-help@nifi.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@nifi.apache.org Delivered-To: mailing list dev@nifi.apache.org Received: (qmail 82668 invoked by uid 99); 25 Jan 2018 19:56:37 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 25 Jan 2018 19:56:37 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 2F2F21A0D06; Thu, 25 Jan 2018 19:56:37 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 2.748 X-Spam-Level: ** X-Spam-Status: No, score=2.748 tagged_above=-999 required=6.31 tests=[HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=2, KAM_NUMSUBJECT=0.5, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id VgjOE3kTJAsa; Thu, 25 Jan 2018 19:56:36 +0000 (UTC) Received: from mail-pf0-f176.google.com (mail-pf0-f176.google.com [209.85.192.176]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id ABF935F2C3; Thu, 25 Jan 2018 19:56:35 +0000 (UTC) Received: by mail-pf0-f176.google.com with SMTP id e76so6568344pfk.1; Thu, 25 Jan 2018 11:56:35 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:reply-to:subject:date:message-id:cc:to :mime-version; bh=l9T8j/OV9amnjAYrTWWyoFIW1Lgu8yKtlQIBWVVH7X8=; b=j+v2Fg6qhxKEU/rrwuMOxl0WO50Ox2mBSfMtyiTZaxwt80UdzSQACOp88ZsNdruuwy I5mwkMgmWrjZVLofTIs+FSEiMoIqPpCXmryPmMNjcORgEy0fL5g0BMxjpz5sT936nghz 7mU8z23LkZ1xBQvv0FsusStcFC363xvYrRJYQy1EECBmunt5oyp2he+eYhP1oCH025Un mKhVeBpkDxr7NMpDe7Gzuw0Ve8hoP4uX1ZeOQOmGPKu1HDLwyNrDXzS6rMqaUN3tBBnI lgygzohUAebr9AC+q4XMTGDRTJblydMJAFtR1agL+W27Jw+PR1f4syHTGCJ3bTU7QCus eV/Q== X-Gm-Message-State: AKwxyte12S92OwuwspHuytziaNZylbGnk0LnciIuIA4vpuqOMmI790LO mV+Js6Dc2EB79UfkmdpOdc3OWpGO X-Google-Smtp-Source: AH8x225MRVEJkbdDT2I/UOkFYb2ngXUvk8n/Tjd5uICC96t8ZpC5LMo2QxqLHiue+J/0FWSLZBbhLQ== X-Received: by 2002:a17:902:2943:: with SMTP id g61-v6mr10336224plb.435.1516910184538; Thu, 25 Jan 2018 11:56:24 -0800 (PST) Received: from [10.137.0.150] ([185.152.67.57]) by smtp.gmail.com with ESMTPSA id v23sm5434421pgb.3.2018.01.25.11.56.22 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 25 Jan 2018 11:56:23 -0800 (PST) From: Andy LoPresto Content-Type: multipart/signed; boundary="Apple-Mail=_F5DAD7F8-2A4F-4A85-8549-879B76512911"; protocol="application/pgp-signature"; micalg=pgp-sha512 Reply-To: users@nifi.apache.org Subject: [ANNOUNCE] CVE advisory for Apache NiFi 1.0.0 - 1.3.0 Date: Thu, 25 Jan 2018 11:56:19 -0800 Message-Id: <272754A9-6299-4B6E-B0FB-BCC3FD8668B6@apache.org> Cc: users@nifi.apache.org, dev@nifi.apache.org, oss-security@lists.openwall.com To: security@nifi.apache.org Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) X-Mailer: Apple Mail (2.3124) --Apple-Mail=_F5DAD7F8-2A4F-4A85-8549-879B76512911 Content-Type: multipart/alternative; boundary="Apple-Mail=_55A2048B-FFD0-4B46-B6A7-616D21820343" --Apple-Mail=_55A2048B-FFD0-4B46-B6A7-616D21820343 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii The Apache NiFi PMC would like to announce the following CVE discovery = in Apache NiFi 1.1.0 - 1.3.0. This issue was resolved with the release = of NiFi 1.4.0 on October 2, 2017. NiFi is an easy to use, powerful, and = reliable system to process and distribute data. It supports powerful and = scalable directed graphs of data routing, transformation, and system = mediation logic. For more information, see = https://nifi.apache.org/security.html. CVE-2017-15703 : = Apache NiFi Java deserialization issue in template XML upload Severity: Moderate Versions Affected: Apache NiFi 1.0.0 - 1.3.0 Description: Any authenticated user (valid client certificate but = without ACL permissions) could upload a template which contained = malicious code and caused a denial of service via Java deserialization = attack. Mitigation: The fix to properly handle Java deserialization was applied = on the Apache NiFi 1.4.0 release. Users running a prior 1.x release = should upgrade to the appropriate release. Credit: This issue was discovered by Mike Cole. Released: October 2, 2017 (Updated January 25, 2018) Andy LoPresto alopresto@apache.org alopresto.apache@gmail.com PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 --Apple-Mail=_55A2048B-FFD0-4B46-B6A7-616D21820343 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii The Apache NiFi PMC would like to announce the following CVE = discovery in Apache NiFi 1.1.0 - 1.3.0. This issue was resolved with the = release of NiFi 1.4.0 on October 2, 2017. NiFi is an easy to use, = powerful, and reliable system to process and distribute data. It = supports powerful and scalable directed graphs of data routing, = transformation, and system mediation logic. For more information, see https://nifi.apache.org/security.html

CVE-2017-15703: Apache NiFi Java deserialization = issue in template XML upload

Severity: Moderate

Versions Affected:

  • Apache NiFi 1.0.0 - 1.3.0

Description: Any = authenticated user (valid client certificate but without ACL = permissions) could upload a template which contained malicious code and = caused a denial of service via Java deserialization attack.

Mitigation: = The fix to properly handle Java deserialization was applied on the = Apache NiFi 1.4.0 release. Users running a prior 1.x release should = upgrade to the appropriate release.

Credit: This issue was = discovered by Mike Cole.

Released: October 2, 2017 (Updated = January 25, 2018)


Andy = LoPresto
alopresto@apache.org
alopresto.apache@gmail.com
PGP Fingerprint: 70EC = B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

= --Apple-Mail=_55A2048B-FFD0-4B46-B6A7-616D21820343-- --Apple-Mail=_F5DAD7F8-2A4F-4A85-8549-879B76512911 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJaajZkAAoJEDxu9lsvfe9pIFIQAJAba3nK1qezpybBAC4E+m3Q udQz46aj0Gh2E5Sn+ainJeJyRoc/Ij/RoIA1PEx5e6iOc3DNQE7OYKlDAs7ob8N9 FMxWHfzoeHzXAaqCA0meDq0TR5QbsoU2wjDTeOAKnVqZGR7Et/gHY3hSuE4kFGQr qpoj3BW66aPa21kwp5vePzAXXdtYzGoIF2sF2XtuM43vuL94doVnpEfu2fw6+R/l zjgAtx9W1NcXbEc0CwEuoUeVv+AqLy3JZMSWrF3KY6AhnoW5wbIGE43/SWBizn70 d/eymNj2wHnzCuLN10y5PAD14AsmgcoJT4plczNl+7QvFO3B2nQFCa7BjFA6DKRt ivFfuOCtEwI2dWzsibFQDeMcpoKJXawd/uKO5Bl4YF+FWXPh7WEjPv2OmJg9vx60 7DdPIswmeXsIu6m2SlTVVGBslSKBxGhDNg/KYQW2woUvPeS9rWEm6ntOLt7VSDQ3 dPVdOiEyx0bqkt/brQmpeTW7yjp3r6HeFyYbLKESzPXDD0ngR6slxQohnrOO5FvA 0qDGvJYf8MpmhPiNbLMbg3VTMq4PiUfXADPbKl+pirf3FSMqMN48cR5P53DoIsEV kljIzL8j7fB1DzRC/ZWwV2u4/C+D2lHmRNJBgj8hVeXG5OtmuvXrgGySMwNvnfP0 8cBz52Sl/LCuzdu2D0K0 =UN27 -----END PGP SIGNATURE----- --Apple-Mail=_F5DAD7F8-2A4F-4A85-8549-879B76512911--