using OpenVAS, I performed a vulnerability scan of my CentOS7 server (there is Apache Nifi in version 1.7.1 with 8081 port). I obtained the following report:
High (CVSS: 10.0) NVT: Eclipse Jetty Server InvalidPathException Information Disclosure Vulnerability Product detection result cpe:/a:eclipse:jetty:6.1.26. Detected by Jetty Version Detection (OID: 188.8.131.52.4.1.256184.108.40.2060953) Summary The host is installed with Eclipse Jetty Server and is prone to information disclosure vulnerability. Vulnerability Detection Result Installed version: 220.127.116.1170317 Fixed version: 9.4.11.v20180605 Installation path / port: 8081/tcp Impact Successful exploitation will allow an attacker to disclose sensitive information. Impact Level: Application Solution Solution type: VendorFix Upgrade to Eclipse Jetty Server version 9.3.24.v20180605 or 9.4.11.v20180605 or later as per the series. For updates refer to Reference links. Affected Software/OS Eclipse Jetty Server versions 9.2.x, 9.3.x before 9.3.24.v20180605 and 9.4.x before 9.4.11.v20180605 Vulnerability Insight The flaw exists due to an improper handling of bad queries. Vulnerability Detection Method Get the installed version with the help of detect NVT and check the version is vulnerable or not. Details:Eclipse Jetty Server InvalidPathException Information Disclosure Vulnerability OID:18.104.22.168.4.1.25622.214.171.1243552 Version used: $Revision: 10443 $ Product Detection Result Product: cpe:/a:eclipse:jetty:6.1.26. Method: Jetty Version Detection OID: 126.96.36.199.4.1.256188.8.131.520953) References CVE: CVE-2018-12536 Other: URL:https://bugs.eclipse.org/bugs/show_bug.cgi?id=535670 URL:https://www.eclipse.org/jetty/
[..] solution: Upgrade to Eclipse Jetty Server version 9.3.24.v20180605 or 9.4.11.v20180605 or later..
Unfortunately, I could not find a solution to the problem regarding upgrade Eclipse Jetty Server for Apache Nifi.
Has anyone had a similar problem? The case is fresh.
You can do this manually on your instance by changing the Jetty dependency version in
<jetty.version>9.4.3.v20170317</jetty.version>). There is an Apache Jira (NIFI-5479) to upgrade this in the core project. Please do not comment on that ticket indicating this is related to a security vulnerability, as the Apache Security Vulnerability Reporting Process must be followed.
The root pom file located at
nifi/pom.xml in the project structure should be modified so the existing
jetty.version value is changed from
9.4.11.v20180605. Initial analysis suggests upgrading the Jetty version will cause runtime errors, as their handling of TLD loading has changed and is currently incompatible with how NiFi works.