Deserialization of untrusted data

2018-01-2521:29:00

PRIOn knowledge base

www.prio-n.com

5.2 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

22.8%

JSON

Any authenticated user (valid client certificate but without ACL permissions) could upload a template which contained malicious code and caused a denial of service via Java deserialization attack. The fix to properly handle Java deserialization was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should upgrade to the appropriate release.

CPENameOperatorVersion
nifige1.0.0
nifile1.4.0

CPE	Name	Operator	Version
	nifi	ge	1.0.0
	nifi	le	1.4.0

References

nifi.apache.org/security.html