question Re: nifi 2.6 registry security scan results in Support Questions

nifi 2.6 registry security scan results

fy-test — Thu, 11 Dec 2025 10:56:58 GMT

Hello,

I've installed nifi 2.6 registry security - then I've scanned it in AWS Inspector, it shows me the following results:

0 Critical.

12 High.

12 Medium.

Could anyoune confrim the results? And if this is a stable security version?

Re: nifi 2.6 registry security scan results

vafs — Thu, 11 Dec 2025 15:14:53 GMT

Hello @fy-test,

Thanks for being part of our community.
That could be something normal, NiFi Registry 2.6 is a stable version released on September 21st.
https://cwiki.apache.org/confluence/display/NIFI/Release+Notes#ReleaseNotes-Version2.6.0

Now, those results can be true, but the scanner should tell the CVE-XXXX-XXX IDs
With those you can review if they are reported or not.

If you are using CDF you can open a case with Cloudera and report those CVEs for review.

Re: nifi 2.6 registry security scan results

fy-test — Tue, 16 Dec 2025 18:58:29 GMT

Thank you for the guidance. Here are the specific CVEs identified by AWS Inspector in our NiFi Registry 2.6 scan:

High Severity (12):

CVE-2025-4802 (glibc)
CVE-2023-31484 (perl)
CVE-2025-6020 (pam)
CVE-2023-52425 (expat)
CVE-2025-66293 (libpng1.6)
CVE-2025-32990 (gnutls28)
CVE-2025-32988 (gnutls28)
CVE-2025-9230 (openssl)
CVE-2024-8176 (expat)
CVE-2025-53066 (oracle/jdk)
CVE-2025-64720 (libpng1.6)
CVE-2025-65018 (libpng1.6)

Medium Severity (12):

CVE-2025-11226 (ch.qos.logback:logback-core)
CVE-2025-64505 (libpng1.6)
CVE-2025-64506 (libpng1.6)
CVE-2024-50602 (expat)
CVE-2025-3576 (krb5)
CVE-2025-40909 (perl)
CVE-2024-22365 (pam)
CVE-2025-6395 (gnutls28)
CVE-2025-9714 (libxml2)
CVE-2025-32989 (gnutls28)
CVE-2025-9232 (openssl)
CVE-2025-53057 (oracle/jdk)

Observations:

Most vulnerabilities appear to be in system libraries (glibc, openssl, gnutls) and OS-level packages rather than NiFi Registry itself
Several CVEs are from 2025, suggesting they may be very recent discoveries
One application-level CVE: logback-core (logging library)

Questions:

Are these OS/system-level CVEs expected to be addressed by NiFi Registry updates, or should they be handled at the base image/OS level?
Is there a recommended approach for managing these dependencies in containerized deployments?
Has anyone else running NiFi Registry 2.6 seen similar scan results?

Any guidance would be appreciated.

Re: nifi 2.6 registry security scan results

MattWho — Wed, 17 Dec 2025 13:34:17 GMT

@fy-test

Apache NiFi is only going to be able to address CVEs found in the NiFi-Registry package lib directory files included with the distribution. Any OS/System-level CVEs would need to be addressed by the owner of the platform on which the NIFi-Registry services is being used.

You can find the Apache NiFi Security Reporting here:
https://nifi.apache.org/documentation/security/

You'll find CVEs already addressed in NiFi and NiFi-Registry on the above page. You'll also see how to report any new security vulnerabilities you may discover.

Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt