[ANNOUNCE] Apache NiFi CVE-2020-9486, CVE-2020-9487, CVE-2020-9491, CVE-2020-13940

[Andy LoPresto <alopresto () apache org>]

Apache NiFi PMC would like to announce the discovery and resolution of CVE-2020-9486, CVE-2020-9487, CVE-2020-9491, and 
CVE-2020-13940. These issues have been resolved and a new version of the Apache NiFi project was released in accordance 
with the Apache Release Process. 

Apache NiFi is an easy to use, powerful, and reliable system to process and distribute data. It supports powerful and 
scalable directed graphs of data routing, transformation, and system mediation logic.

Fixed in Apache NiFi 1.12.0 (Released: August 18, 2020)



CVE-2020-9486: Apache NiFi information disclosure in logs

Severity: Important

Versions Affected: Apache NiFi 1.10.0 - 1.11.4

Description: The NiFi stateless execution engine produced log output which included sensitive property values. When a 
flow was triggered, the flow definition configuration JSON was printed, potentially containing sensitive values in 
plaintext.

Mitigation: Implemented Argon2 secure hashing to provide a deterministic loggable value which does not reveal the 
sensitive value. Users running any previous NiFi release should upgrade to the latest release.

Credit: This issue was discovered by Andy LoPresto and Pierre Villard.



CVE-2020-9487: Apache NiFi denial of service

Severity: Important

Versions Affected: Apache NiFi 1.0.0 - 1.11.4

Description: The NiFi download token (one-time password) mechanism used a fixed cache size and did not authenticate a 
request to create a download token, only when attempting to use the token to access the content. An unauthenticated 
user could repeatedly request download tokens, preventing legitimate users from requesting download tokens.

Mitigation: Disabled anonymous authentication, implemented a multi-indexed cache, and limited token creation requests 
to one concurrent request per user. Users running any previous NiFi release should upgrade to the latest release.

Credit: This issue was discovered by Dennis Detering (IT Security Consultant at Spike Reply).



CVE-2020-9491: Apache NiFi use of weak TLS protocols

Severity: Critical

Versions Affected: Apache NiFi 1.2.0 - 1.11.4

Description: The NiFi UI and API were protected by mandating TLS v1.2, as well as listening connections established by 
processors like ListenHTTP, HandleHttpRequest, etc. However intracluster communication such as cluster request 
replication, Site-to-Site, and load balanced queues continued to support TLS v1.0 or v1.1.

Mitigation: Refactored disparate internal SSL and TLS code, reducing exposure for extension and framework developers to 
low-level primitives. Added support for TLS v1.3 on supporting JVMs. Restricted all incoming TLS communications to TLS 
v1.2+. Users running any previous NiFi release should upgrade to the latest release.

Credit: This issue was discovered by Juan Carlos Sequeiros and Andy LoPresto.



CVE-2020-13940: Apache NiFi information disclosure by XXE

Severity: Low

Versions Affected: Apache NiFi 1.0.0 - 1.11.4

Description: The notification service manager and various policy authorizer and user group provider objects allowed 
trusted administrators to inadvertently configure a potentially malicious XML file. The XML file has the ability to 
make external calls to services (via XXE).

Mitigation: An XML validator was introduced to prevent malicious code from being parsed and executed. Users running any 
previous NiFi release should upgrade to the latest release.

Credit: This issue was discovered by Matt Burgess and Andy LoPresto.

For more information: https://nifi.apache.org/security.html <https://nifi.apache.org/security.html>

Andy LoPresto
alopresto () apache org
alopresto.apache () gmail com
He/Him
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69