using OpenVAS, I performed a vulnerability scan of my CentOS7 server (there is Apache Nifi in version 1.7.1 with 8081 port). I obtained the following report:
High (CVSS: 10.0)
NVT: Eclipse Jetty Server InvalidPathException Information Disclosure Vulnerability
Product detection result
Detected by Jetty Version Detection (OID: 18.104.22.168.4.1.25622.214.171.1240953)
The host is installed with Eclipse Jetty Server and is prone to information disclosure vulnerability.
Vulnerability Detection Result
Installed version: 126.96.36.19970317
Fixed version: 9.4.11.v20180605
path / port: 8081/tcp
Successful exploitation will allow an attacker to disclose sensitive information.
Impact Level: Application
Solution type: VendorFix
Upgrade to Eclipse Jetty Server version 9.3.24.v20180605 or 9.4.11.v20180605 or later as per the
series. For updates refer to Reference links.
Eclipse Jetty Server versions 9.2.x, 9.3.x before 9.3.24.v20180605 and 9.4.x before
The flaw exists due to an improper handling of bad queries.
Vulnerability Detection Method
Get the installed version with the help of detect NVT and check the version is vulnerable or not.
Details:Eclipse Jetty Server InvalidPathException Information Disclosure Vulnerability
Version used: $Revision: 10443 $
Product Detection Result
Method: Jetty Version Detection
[..] solution: Upgrade to Eclipse Jetty Server version 9.3.24.v20180605 or 9.4.11.v20180605 or later..
Unfortunately, I could not find a solution to the problem regarding upgrade Eclipse Jetty Server for Apache Nifi.
Has anyone had a similar problem? The case is fresh.
You can do this manually on your instance by changing the Jetty dependency version in
nifi/pom.xml (<jetty.version>9.4.3.v20170317</jetty.version>). There is an Apache Jira (NIFI-5479) to upgrade this in the core project. Please do not comment on that ticket indicating this is related to a security vulnerability, as the Apache Security Vulnerability Reporting Process must be followed.
The root pom file located at
nifi/pom.xml in the project structure should be modified so the existing jetty.version value is changed from 9.4.3.v20170317 to 9.4.11.v20180605. Initial analysis suggests upgrading the Jetty version will cause runtime errors, as their handling of TLD loading has changed and is currently incompatible with how NiFi works.