Overview :
Multiple flaws was discovered in NiFi versions 1.3.0 to 1.9.2
Affected Product(s) :
  • Apache NiFi 1.3.0 – 1.9.2
Vulnerability Details :
CVE ID : CVE-2019-12421
If NiFi uses an authentication mechanism other than PKI, when the user clicks Log Out, NiFi invalidates the authentication token on the client side but not on the server side. This permits the user’s client-side token to be used for up to 12 hours after logging out to make API requests to NiFi.

Mitigation : The fix to invalidate the server-side authentication token immediately after the user clicks ‘Log Out’ was applied on the Apache NiFi 1.10.0 release. Users running a prior 1.x release should upgrade to the appropriate release.
CVE ID : CVE-2019-10083
When updating a Process Group via the API, the response to the request includes all of its contents (at the top most level, not recursively). The response included details about processors and controller services which the user may not have had read access to.

Mitigation : Requests to update or remove the process group will no longer return the contents of the process group in the response in Apache NiFi 1.10.0. Users running a prior 1.x release should upgrade to the appropriate release.
CVE ID : CVE-2019-10080
The XMLFileLookupService allowed trusted users to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE) and reveal information such as the versions of Java, Jersey, and Apache that the NiFI instance uses.

Mitigation : A validator to ensure the XML file is not malicious was applied on the Apache NiFi 1.10.0 release. Users running a prior 1.x release should upgrade to the appropriate release.

Solution :

Apache has released update packages for all affected products listed above.