CVE-2024-56512: Apache NiFi's Missing Fine-grained Authorization Checking and Exploit Details

Apache NiFi, an open-source project that allows for the automation of data flows between different systems, recently discovered a vulnerability in versions 1.10. through 2... This vulnerability is identified as CVE-2024-56512, and it concerns the missing fine-grained authorization checking for Parameter Contexts, referenced Controller Services, and referenced Parameter Providers during the creation of new Process Groups.

This long read post will discuss the code snippets that demonstrate the vulnerability, links to original references, and details on how the vulnerability can be exploited.

Code Snippet

The following code snippet illustrates the missing authorization check when creating a new Process Group with a bound Parameter Context:

public class ProcessGroupCreator {
    public void createNewProcessGroup(String parameterContextId) {
        ParameterContext paramContext = getParameterContext(parameterContextId);
        ProcessGroup newProcessGroup = new ProcessGroup(paramContext);

        // Missing authorization check for Parameter Context
        if (!newProcessGroup.referencesParameters()) {
            return;
        }

        // Authorization check should be here
    }
}

In the code above, the createNewProcessGroup() method requires an input that binds a Parameter Context to the new Process Group. However, as seen in the code, there is no check for user authorization, which could grant unauthorized users the ability to download non-sensitive Parameter values after creating the Process Group.

Links to Original References

- Apache NiFi Security Bulletin
- CVE Details
- NIST National Vulnerability Database
- Apache NiFi Release 2.1.

Exploit Details

This vulnerability allows authenticated users who have the necessary permissions to create Process Groups to bypass the authorization checks, enabling them to reference existing Controller Services and Parameter Providers that they should not have access to. As a result, unauthorized clients can create Process Groups and use components without proper authorization.

To exploit this vulnerability, an attacker would need to create a new Process Group with a bound Parameter Context or reference existing Controller Services and Parameter Providers. Then, they can access and use these components, although they should not have the required authorization.

Limited Scope & Recommended Mitigation

The vulnerability's scope is limited to authenticated users authorized to create Process Groups and is further limited to deployments with component-based authorization policies.

The recommended mitigation for this vulnerability is to upgrade to Apache NiFi 2.1., which includes authorization checking for Parameter and Controller Service references on Process Group creation.

In summary, to protect your Apache NiFi deployment from possible exploits related to CVE-2024-56512, it is essential to upgrade to version 2.1.. This action ensures that proper authorization checks are in place and prevents unauthorized users from creating and accessing Process Groups, Controller Services, and Parameter Providers.

Timeline

Published on: 12/28/2024 17:15:07 UTC