Apache NiFi: Potential Deserialization of Untrusted Data with JNDI in JMS Components
CVE-2023-34212

6.5MEDIUM

Key Information:

Vendor: Apache
Status: Apache Nifi
Vendor: CVE Published:; 12 June 2023

Badges

👾 Exploit Exists🟡 Public PoC

Summary

The JndiJmsConnectionFactoryProvider Controller Service, along with the ConsumeJMS and PublishJMS Processors, in Apache NiFi 1.8.0 through 1.21.0 allow an authenticated and authorized user to configure URL and library properties that enable deserialization of untrusted data from a remote location.

The resolution validates the JNDI URL and restricts locations to a set of allowed schemes.

You are recommended to upgrade to version 1.22.0 or later which fixes this issue.

Affected Version(s)

Apache NiFi 1.8.0 <= 1.21.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2023-34212
Created by mbadanoiu

References

https://nifi.apache.org/security.html#CVE-2023-34212

release-notes

https://lists.apache.org/thread/w5rm46fxmvxy216tglf0dv83w...

vendor-advisory

http://www.openwall.com/lists/oss-security/2023/06/12/2

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Nov 23, 2023
👾
Exploit known to exist
Nov 23, 2023
Vulnerability published
Jun 12, 2023
Vulnerability Reserved
May 30, 2023

Credit

Veraxy00 of Qianxin TI Center

Matei "Mal" Badanoiu