Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.2536 [ANNOUNCE] Apache NiFi CVE-2017-12623 10 October 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Apache NiFi Publisher: The Apache Software Foundation Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2017-12623 Original Bulletin: https://nifi.apache.org/security.html#CVE-2017-12623 - --------------------------BEGIN INCLUDED TEXT-------------------- CVE-2017-12623: Apache NiFi XXE issue in template XML upload Apache NiFi PMC would like to announce the discovery and resolution of CVE-2017-12623. This issue has been resolved and a new version of the Apache NiFi project was released in accordance with the Apache Release Process. Apache NiFi is an easy to use, powerful, and reliable system to process and distribute data. It supports powerful and scalable directed graphs of data routing, transformation, and system mediation logic. Fixed in Apache NiFi 1.4.0 (Released: October 2, 2017) CVE-2017-12623: Apache NiFi XXE issue when loading template Severity: Medium Versions Affected: Apache NiFi 1.0.0 - 1.3.0 Description: An authorized user could upload a template which contained malicious code and accessed sensitive files via an XML External Entity (XXE) attack. Mitigation: The fix to properly handle XML External Entities was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should upgrade to the appropriate release. Credit: This issue was discovered by Pawel Gocyla. For more information: https://nifi.apache.org/security.html Andy LoPresto alopresto@apache.org alopresto.apache@gmail.com PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWdxiEIx+lLeg9Ub1AQjneQ/+MaFvU8nk9Or2AsOQ/hKr/N+1vBH8x9Do qkSZ2mS62WIFJ91xD7eUbXQNZlU3aWcwpkUBEE57cvU/jwANacIrBcTXJawZvYJT 7lebhSxsWrz1iDfWHaEmCr7JktJ85GEIYCITWUQm1nLhpbH0yzllVL4GCRt3ezA7 8gp04kFlBOHSZWbWQQ2KvRHxh+MxreDVy1/8uM9JSUUax6fQkmpCxyMajg4aqE2Z oSuxP1Eqgx3VZfXtZRkORGgtbHoxalDJd1lVB3euw4bE/43IjG0YBVDotFIUCU8P z+uPjw0J4epfl037+AbJHQyle3oERoHoJRO3t0+vVYIlZhq4zWDekwXdnh0NYRqJ BfUR50QOeEStO2A9bwhDYivYWfW3bh13Vr2Zxga4XSJ1Plp3rC3NOGowCxx6U5a7 ZlwLcxdymrXL5kHoHnvssoq9Vu6CgKojAZBiqqPNmiUbSWXZxxPX6e0NjCyAYBnT uP32ZnMdS9Q6zECc2JfAM1KYbqSBe1j2564WrdFANH4d/6pn7UViCoeEent5wV6X lajEVA/4vDsY+b1jwC08E/9qVCwV+z7F3ri0oK19gWrMsApTEPgNQPaFCUNhmGUm +BHqZOB2QpjoXKHUERP/bjLJeumHW4hf286OKyIWLmLHtHwRrtCMQiBI4JEHxuOu B5egwry/zh4= =Xx+g -----END PGP SIGNATURE-----