Hi @chintuk  While we welcome your question and a member of the Cloudera Community might well be able to answer it, I believe you would be much more likely to obtain a timely solution if you posted it to the Atlassian Community.     ... View more

@dag  While you are waiting, can you describe in a bit more detail what you mean by "support NiFi in a commercial environment"? As part of a CDP Subscription, Cloudera supports it's own products, which while they might be based on Apache's releases, are not freely interchangeable with them. One reason for that is there'a always certain differences between the versions released by Cloudera in products such as Cloudera DataFlow (CDF) or Cloudera DataFlow for the Public Cloud (CDF-PC) and the release of "upstream" component projects such as Apache NiFi. This is analogous to how there are differences between what mainline kernel is "current" in the open source Linux world and what RedHat, for example, releases as part of Red Hat Enterprise Linux. In general, Cloudera doesn't provide support for the distributions of NiFi directly downloaded from Apache.     ... View more

@Girish007  The reason I was asking is because what kind of "security scan" you performed matters a great deal. Certain security scan applications are pretty basic and only look at a list of vulnerabilities and the libraries exposed to them and then compare that to a list of libraries using specific version numbers found on/retrieved from the deployed system in question. Many times, this will lead to "false positives" because the system is not actually vulnerable due to the specific way the library is used. Other times, the system vendor will have addressed the vulnerability by changing the code included in the library, without changing the name of major release number denoted in the filename. In the specific case you're interested in, Apache Commons Text is a very popular library, so there are just going to be widespread references to vulnerable versions across anything that uses Apache code. For Apache NiFi, authoritative sources tell me that on initial investigation, NiFi had no direct uses of the vulnerable class, but had many transitive references to the library and that this was patched last month in the open source repository, so updates will be making their way to new versions. You can view the upstream Jira issue here: NIFI-10648     ... View more

@YogeshKumar  I'm curious as to exactly how you have determined that, because you have identified that there are previously identified vulnerabilities of critical, high and moderate severity in Log4j1 and Log4j2, that CDH 6.3.4 is exposed to those same vulnerabilities?     ... View more

@hanumanth, Exactly how are you determining that the file path you've identified is exposed to the CVE-2022-42889 vulnerability?     ... View more

@hanumanth I'm just curious as to exactly how you or @Girish007 have determined that a specific release of  NiFi is vulnerable to the aforementioned CVE?     ... View more

@yacine_, You didn't say what you are looking to do with the Tez UI, but there is documentation available on the equivalent functionality available in Data Analytics Studio (DAS), which is currently available on CDP, here: Difference between Tez UI and DAS     ... View more