Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Spring Framework Open Redirect Vulnerability on Nifi 1.19.1

Labels:
avatar
author-rank whoknows
Explorer

Created on ‎03-11-2024 01:00 AM - edited ‎03-11-2024 01:34 AM

当前安装的Nifi 1.19.1扫描了Spring Framework开放重定向漏洞。可以直接升级到apache nifi1.25.0吗?或者还有其他解决办法吗?目前,考虑到代码支持Java 8,升级到apache nifi2似乎是Spring Framework 6的版本,仍然是一个有风险的版本。升级到nifi2需要升级Java。

 

 

1,173 Views
5 REPLIES 5

avatar
author-rank DianaTorres author-rank
Community Manager

Created ‎03-11-2024 05:14 AM

Translation:

The current installation of Nifi 1.19.1 is scanned for the Spring Framework Open Redirect vulnerability. Can I directly upgrade to apache nifi1.25.0? Or is there any other solution? Currently, upgrading to apache nifi2 appears to be a version of Spring Framework 6, still a risky version, considering the code supports Java 8. Upgrading to nifi2 requires upgrading Java. 

Regards,

Diana Torres,
Community Moderator

Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community:
1,147 Views

avatar
author-rank whoknows
Explorer

Created ‎03-11-2024 08:43 PM

Thank you very much for the translation. The original text is in English. I guess the webpage was translated and saved directly during the second editing.

1,122 Views
0 Kudos

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎03-11-2024 08:56 AM

@whoknows 

Providing an actual CVE for the suspected detected vulnerability it always going to get you the bets response.  I am assuming you may be referring to this CVE?
https://www.cvedetails.com/cve/CVE-2024-22233/

Apache NiFi is not vulnerable to this CVE because NiFi does not use Spring MVC, it uses JAX-RS and Jersey for REST resources.    The vulnerability is only exposed when  all of the following are true:

  1. The application uses Spring MVC *
  2. Spring Security 6.1.6+ or 6.2.1+ is on the classpath

-----------------

As far as upgrading directly from Apache NIFi 1.19.1 to 1.25 goes, you should have no issues there provided you have reviewed the release notes below for all version from 1.20 to 1.25 to see if any changes may impact your specific dataflows:
https://cwiki.apache.org/confluence/display/NIFI/Release+Notes#ReleaseNotes-Version1.25.0

I saw no red flags to worry about.

-----------------
Apache NiFi also upgraded its Spring Framework version in https://issues.apache.org/jira/browse/NIFI-12811 in Apache NiFi 2.0.

If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

1,136 Views
0 Kudos

avatar
author-rank whoknows
Explorer

Created ‎03-11-2024 08:38 PM

image-2024-03-04-10-48-23-012.png

1,124 Views
0 Kudos

avatar
author-rank whoknows
Explorer

Created ‎03-11-2024 08:45 PM

OK, thanks for the answer. It seems that the current solution can only be upgraded to the highest version of nifi that is compatible with Java8.

1,122 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera DataFlow 2.9 now supports building GenAI pipelines ...
What's New @ Cloudera
Accelerate Data Scientist Productivity with Cloudera Copilot...
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
Community Announcements
October 2024 Community Highlights
What's New @ Cloudera
Accelerate Your AI with the Cloudera AI Inference Service wi...
View More Announcements