Roundup: [oss-security] [ANNOUNCE] CVE-2017-5635 and CVE-2017-5636

[grahamc]

Here is a report from the oss-security mailing list for Vulnerability Roundup 27.

Skip to First Email

Instructions:

Identification

Identify if we have the software, in 16.09, 17.03, and unstable. Then determine if we are vulnerable, and make a comment with your findings. It can also be helpful to specify if you think there is a patch, or if it can be fixed via a general update.

Example:

unstable: we are not vulnerable (link to the package)
17.03: we are vulnerable (link to the package)
16.09: we don't have it packaged

IMPORTANT: If you believe there are possibly related issues, bring them up on the parent issue!

Patching

Start by commenting on this issue saying you're working on a patch. This way, we don't duplicate work.

If you open a pull request, tag this issue and the master issue for the roundup.

If you commit the patch directly to a branch, please leave a comment on this issue with the branch and the commit hash, example:

fixed:

release-16.09: abc123

Skip to First Email

Upon Completion ...

• [ ] Update Graham's database

Info

Triage Indicator:

-needs-triage +roundup27 thread:000000000000405c

• File Search: https://search.nix.gsc.io/?q=UNKNOWN&i=fosho&repos=nixos-nixpkgs
• GitHub Search: https://github.com/NixOS/nixpkgs/search?utf8=%E2%9C%93&q=UNKNOWN+in%3Apath&type=Code

Should the search term be changed from UNKNOWN? Suggest a new package search by commenting:

-suggested:UNKNOWN +suggested:correctPackageName thread:000000000000405c

Known CVEs: CVE-2017-5635, CVE-2017-5636, CVE-2107-5635, CVE-2107-5636

---

Skip to End

Mon, 6 Mar 2017 15:15:27 -0800 Andy LoPresto , 5B4851DB-DCE6-4F85-97C7-05605441C2FD@apache.org

Additional Part

Apache NiFi PMC would like to announce the discovery and resolution of CVE-2017-5635 and CVE-2017-5636. These issues have been resolved and new versions of the Apache NiFi project were released in accordance with the Apache Release Process. Fixed in Apache NiFi 0.7.2 and 1.1.2 CVE-2107-5635: Apache NiFi Unauthorized Data Access In Cluster Environment Severity: Important Versions Affected: Apache NiFi 0.7.0 Apache NiFi 0.7.1 Apache NiFi 1.1.0 Apache NiFi 1.1.1 Description: In a cluster environment, if an anonymous user request is replicated to another node, the originating node identity is used rather than the “anonymous” user. Mitigation: A fix has been provided (removing the negative check for anonymous user before building the proxy chain and throwing an exception, and evaluating each user in the proxy chain iteration and comparing against a static constant anonymous user). This fix was applied in NIFI-3487 and released in Apache NiFi 0.7.2 and 1.1.2. 1.x users running a clustered environment should upgrade to 1.1.2. 0.x users running a clustered environment should upgrade to 0.7.2. Credit: This issue was discovered by Leonardo Dias in conjunction with Matt Gilman. CVE-2107-5636: Apache NiFi User Impersonation In Cluster Environment Severity: Moderate Versions Affected: Apache NiFi 0.7.0 Apache NiFi 0.7.1 Apache NiFi 1.1.0 Apache NiFi 1.1.1 Description: In a cluster environment, the proxy chain serialization/deserialization is vulnerable to an injection attack where a carefully crafted username could impersonate another user and gain their permissions on a replicated request to another node. Mitigation: A fix has been provided (modification of the tokenization code and sanitization of user-provided input). This fix was applied in NIFI-3487 and released in Apache NiFi 0.7.2 and 1.1.2. 1.x users running a clustered environment should upgrade to 1.1.2. 0.x users running a clustered environment should upgrade to 0.7.2. Credit: This issue was discovered by Andy LoPresto. Andy LoPresto alopresto@apache.org alopresto.apache@gmail.com PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69

Additional Part

Apache NiFi PMC would like to announce the discovery and resolution of CVE-2017-5635 and CVE-2017-5636. These issues have been resolved and new versions of the Apache NiFi project were released in accordance with the Apache Release Process. 

Fixed in Apache NiFi 0.7.2 and 1.1.2

CVE-2107-5635: Apache NiFi Unauthorized Data Access In Cluster Environment

Severity: Important

Versions Affected:

Apache NiFi 0.7.0

Apache NiFi 0.7.1

Apache NiFi 1.1.0

Apache NiFi 1.1.1

Description: In a cluster environment, if an anonymous user request is replicated to another node, the originating node identity is used rather than the “anonymous” user.

Mitigation: A fix has been provided (removing the negative check for anonymous user before building the proxy chain and throwing an exception, and evaluating each user in the proxy chain iteration and comparing against a static constant anonymous user). This fix was applied in NIFI-3487 and released in Apache NiFi 0.7.2 and 1.1.2. 1.x users running a clustered environment should upgrade to 1.1.2. 0.x users running a clustered environment should upgrade to 0.7.2. 

Credit: This issue was discovered by Leonardo Dias in conjunction with Matt Gilman.

CVE-2107-5636: Apache NiFi User Impersonation In Cluster Environment

Severity: Moderate

Versions Affected:

Apache NiFi 0.7.0

Apache NiFi 0.7.1

Apache NiFi 1.1.0

Apache NiFi 1.1.1

Description: In a cluster environment, the proxy chain serialization/deserialization is vulnerable to an injection attack where a carefully crafted username could impersonate another user and gain their permissions on a replicated request to another node.

Mitigation: A fix has been provided (modification of the tokenization code and sanitization of user-provided input). This fix was applied in NIFI-3487 and released in Apache NiFi 0.7.2 and 1.1.2. 1.x users running a clustered environment should upgrade to 1.1.2. 0.x users running a clustered environment should upgrade to 0.7.2. 

Credit: This issue was discovered by Andy LoPresto.

Andy LoPresto

alopresto@apache.org

alopresto.apache@gmail.com

PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

signature.asc

-----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJYve2PAAoJEDxu9lsvfe9pz20QAJRF0F87cBZUcEEfjWpHVdvt mWGpEA3i+eXQgpjEfuTIlsc2kK2NX+Ld8FtLAVrw/oyD7/jOK6crSb2XTY0qOuQ1 Mn4/ARIFcLcRFkbCZ3e7VYXucPbqZGiuIwPm8QtFSXKtvPLK/Jqd+Ph5q3tAloTM bzPRIpMpOzN+5tjbuS7DTHWOceW921ypz/gISJQfas4LtB3sJg1jnln4sFGizHMb NMB/YYz48HackFMeyF95YldedYAKEPrrfWkNButxpbqCU5faPpzyV9iucW2o2H3Q Ibxe522btKtN9PTjMLMrS/Fm4WO1vcmdZrmgvLVfCIatbnwYbMPTcAAwqIVHPfBs urh1oQmQp3ycDSYLUXmnuLItzV0rzgwsiHvZPux+5F/hzAohdyqzpwe6ah0jFOkE 0DhV11NUwY6faBlCzbOKN6x5b1ONdWAy1mgUmmflBYwOa482LDQ2PLX5FAXYd8bI ZNmFUSTrPVnpIcGkUuqGEzP0d+a1C+pZiLvpiANN1d+a6Zx2S+52mnSWAMvBT2d0 VDNsI2kW2rSwBsu8VlfRKi1+pyTX5VJh8pXS2gVDWqASI8lEPt4ZclnKPouqjchE 2RfGxZbBSR9QQrDzLodBw9/tOZ9AsFFHO6pcPEkBRgoR+lvZzMDyh1udk7u050S7 TehGM2OA5jCKqSzEIT1q =DWEW -----END PGP SIGNATURE-----

Skip to End

---

[grahamc]

master: not packaged release-16.09: not packaged release-17.03: not packaged