Vulnerability description
Apache NiFi is an open source data flow processing and automation tool. DBCPConnectionPool and HikariCPConnectionPool are two controller services used to provide connection pool management functions for databases.
Affected versions of Apache NiFi, since the DBCPConnectionPool and HikariCPConnectionPool controller services do not validate the URL string of the user-configured H2 driver, an authenticated attacker can construct an H2 JDBC URL containing a malicious payload to execute a malicious code.
Developers are recommended to upgrade to NiFi 1.22.0 version, which disables H2 JDBC URL in default configuration to fix this vulnerability.
Vulnerability name | Code Injection Vulnerability in Apache NiFi H2 Driver |
---|---|
Vulnerability type | code injection |
Discovery time | 2023/6/13 |
Vulnerability Breadth | generally |
MPS number | MPS-v4am-pz0t |
CVE number | CVE-2023-34468 |
CNVD number | - |
Sphere of influence
org.apache.nifi:nifi@[0.0.2, 1.22.0);
Repair plan
Upgrade org.apache.nifi:nifi to version 1.22.0 and above
The official has released a patch to disable the H2 JDBC URL: https://github.com/apache/nifi/commit/6e064a8bdef1cd4f91ea8f42ee16a3675d2f9a9d
reference link
https://www.oscs1024.com/hd/MPS-v4am-pz0t
https://nvd.nist.gov/vuln/detail/CVE-2023-34468
https://issues.apache.org/jira/browse/NIFI-11653
https://github.com/apache/nifi/commit/6e064a8bdef1cd4f91ea8f42ee16a3675d2f9a9d
About Murphy Security
Murphy Security is a technology company that provides you with professional software supply chain security management. The core team comes from Baidu, Huawei, Wuyun and other enterprises. The company provides customers with a complete software supply chain security management platform, and provides software with a full life cycle around SBOM Security management, platform capabilities include software component analysis, source security management, container image detection, vulnerability intelligence early warning and commercial software supply chain access assessment and other products. Provide customers with complete control capabilities from supply chain asset identification management, risk detection, security control, and one-key repair.
Open source project: https://github.com/murphysecurity/murphysec/?sf=qbyj
The product can be integrated with various tools in the existing development process at a very low cost, including seamless integration with dozens of tools such as IDE, Gitlab, Bitbucket, Jenkins, Harbor, and Nexus.
Free code security detection tool: https://www.murphysec.com/?sf=qbyj
Free intelligence subscription: https://www.oscs1024.com/cm/?sf=qbyj