Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Now Live: Explore expert insights and technical deep dives on the new Cloudera Community BlogsRead the Announcement

nifi 2.6 registry security scan results

Labels:
avatar
author-rank fy-test
Explorer

Created ‎12-11-2025 02:56 AM

Hello,

I've installed nifi 2.6 registry security - then I've scanned it in AWS Inspector, it shows me the following results:

0 Critical.

12 High.

12 Medium.

Could anyoune confrim the results? And if this is a stable security version?

386 Views
0 Kudos
3 REPLIES 3

avatar
author-rank vafs author-rank
Expert Contributor

Created ‎12-11-2025 07:14 AM

Hello @fy-test

Thanks for being part of our community. 
That could be something normal, NiFi Registry 2.6 is a stable version released on September 21st. 
https://cwiki.apache.org/confluence/display/NIFI/Release+Notes#ReleaseNotes-Version2.6.0

Now, those results can be true, but the scanner should tell the CVE-XXXX-XXX IDs
With those you can review if they are reported or not. 

If you are using CDF you can open a case with Cloudera and report those CVEs for review.  


Regards,
Andrés Fallas
--
Was your question answered? Please take some time to click on "Accept as Solution" below this post.
If you find a reply useful, say thanks by clicking on the thumbs-up button.
371 Views

avatar
author-rank fy-test
Explorer

Created ‎12-16-2025 10:58 AM

Thank you for the guidance. Here are the specific CVEs identified by AWS Inspector in our NiFi Registry 2.6 scan:

High Severity (12):

  • CVE-2025-4802 (glibc)
  • CVE-2023-31484 (perl)
  • CVE-2025-6020 (pam)
  • CVE-2023-52425 (expat)
  • CVE-2025-66293 (libpng1.6)
  • CVE-2025-32990 (gnutls28)
  • CVE-2025-32988 (gnutls28)
  • CVE-2025-9230 (openssl)
  • CVE-2024-8176 (expat)
  • CVE-2025-53066 (oracle/jdk)
  • CVE-2025-64720 (libpng1.6)
  • CVE-2025-65018 (libpng1.6)

Medium Severity (12):

  • CVE-2025-11226 (ch.qos.logback:logback-core)
  • CVE-2025-64505 (libpng1.6)
  • CVE-2025-64506 (libpng1.6)
  • CVE-2024-50602 (expat)
  • CVE-2025-3576 (krb5)
  • CVE-2025-40909 (perl)
  • CVE-2024-22365 (pam)
  • CVE-2025-6395 (gnutls28)
  • CVE-2025-9714 (libxml2)
  • CVE-2025-32989 (gnutls28)
  • CVE-2025-9232 (openssl)
  • CVE-2025-53057 (oracle/jdk)

Observations:

  • Most vulnerabilities appear to be in system libraries (glibc, openssl, gnutls) and OS-level packages rather than NiFi Registry itself
  • Several CVEs are from 2025, suggesting they may be very recent discoveries
  • One application-level CVE: logback-core (logging library)

Questions:

  1. Are these OS/system-level CVEs expected to be addressed by NiFi Registry updates, or should they be handled at the base image/OS level?
  2. Is there a recommended approach for managing these dependencies in containerized deployments?
  3. Has anyone else running NiFi Registry 2.6 seen similar scan results?

Any guidance would be appreciated.

304 Views
0 Kudos

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎12-17-2025 05:34 AM

@fy-test 

Apache NiFi  is only going to be able to address CVEs found in the NiFi-Registry package lib directory files included with the distribution.  Any OS/System-level CVEs would need to be addressed by the owner of the platform on which the NIFi-Registry services is being used.

You can find the Apache NiFi Security Reporting here:
https://nifi.apache.org/documentation/security/

You'll find CVEs already addressed in NiFi and NiFi-Registry on the above page.  You'll also see how to report any new security vulnerabilities you may discover.

 

Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

286 Views
0 Kudos
Announcements
Community Announcements
December 2025 Community Highlights
Community Announcements
Announcing the Launch of Cloudera Community Blogs
Community Announcements
October / November 2025 Community Highlights
What's New @ Cloudera
Announcing Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
Announcing Cloudera Streams Messaging - Kubernetes Operator ...
View More Announcements