[High Risk] Apache Nifi JMS component has JNDI deserialization vulnerability

News 2023-07-12 00:42:46 views: null

 Vulnerability description 

Apache NiFi is an open source data flow processing and automation tool, and the JndiJmsConnectionFactoryProvider controller component is used to configure the JMS connection address.

In Apache NiFi versions 1.8.0 to 1.21.0, since the JndiJmsConnectionFactoryProvider controller service allows authorized users to configure the URL and library properties, an authenticated attacker can configure the JndiJmsConnectionFactoryProvider's JMS connection address in the ConnectionFactory to a malicious JNDI server , to remotely execute malicious code by deserializing maliciously constructed data.

Users can mitigate this vulnerability by upgrading to NiFi 1.22.0 or configuring the org.apache.nifi.jms.cf.jndi.provider.url.schemes.allowed property in bootstrap.conf to disable the LDAP function of JNDI URL.

Vulnerability name Apache Nifi JMS component has JNDI deserialization vulnerability
Vulnerability type deserialization
Discovery time 2023/6/13
Vulnerability Breadth generally
MPS number MPS-y8rd-wenb
CVE number CVE-2023-34212
CNVD number -


Sphere of influence

org.apache.nifi:nifi@[1.8.0, 1.22.0);

Repair plan

Upgrade org.apache.nifi:nifi to version 1.22.0 and above

Configure the org.apache.nifi.jms.cf.jndi.provider.url.schemes.allowed property in bootstrap.conf to disable the LDAP function of the JNDI URL

reference link

https://nvd.nist.gov/vuln/detail/CVE-2023-34212

https://issues.apache.org/jira/browse/NIFI-11614

https://github.com/apache/nifi/pull/7313

https://github.com/apache/nifi/commit/3fcb82ee4509d1ad73893d8dca003be6d086c5d6

About Murphy Security 

Murphy Security is a technology company that provides you with professional software supply chain security management. The core team comes from Baidu, Huawei, Wuyun and other enterprises. The company provides customers with a complete software supply chain security management platform, and provides software with a full life cycle around SBOM Security management, platform capabilities include software component analysis, source security management, container image detection, vulnerability intelligence early warning and commercial software supply chain access assessment and other products. Provide customers with complete control capabilities from supply chain asset identification management, risk detection, security control, and one-key repair.

Open source project: https://github.com/murphysecurity/murphysec/?sf=qbyj

The product can be integrated with various tools in the existing development process at a very low cost, including seamless integration with dozens of tools such as IDE, Gitlab, Bitbucket, Jenkins, Harbor, and Nexus.

Free code security detection tool:  https://www.murphysec.com/?sf=qbyj
Free intelligence subscription: https://www.oscs1024.com/cm/?sf=qbyj

Guess you like

Origin blog.csdn.net/murphysec/article/details/131292686
Recommended
Ranking
Solve the problem that the Chinese display of the drawing using python matplotlib under the Linux system is displayed as a box
[Conference Call for Papers] The 5th International Conference on Civil Engineering, Environmental Resources and Energy Materials (CCESEM 2023)
4-yl Fast Fourier Transform
DataGirdView interlaced display color
[Docker implements test deployment CI/CD----Dingding alarm after the build is successful (7)]
[Asp.net core series] 6 the complete structure of a project in actual combat
The new version of OpenCenterV3 management background
Why can box plots detect outliers and what is the principle?
[Switch] jumbo frame Introduction
C++对象移动(3)——移动构造函数
Daily
More
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)

Code World

© 2018 codetd.com