A high-severity remote code execution (RCE) vulnerability in Apache NiFi, for which an exploit tool already exists, could lead to unauthorized access and data breaches, warns cybersecurity firm Cyfirma. Apache NiFi is an open source data integration and automation tool used for data processing and distribution.
Tracked as CVE-2023-34468 (CVSS score of 8.8) and resolved in June, the issue can be exploited by authenticated users to “set a URL [endereço de internet] database with the H2 driver that allows custom code execution.”
The problem exists because certain NiFi services support configurable access to databases using JDBC (Java Database Connectivity), and because any string can be introduced when setting properties such as the connection URL.
This essentially allows an attacker to create connection strings to H2—a Java-based embedded database typically used in Apache NiFi—to remotely execute code on vulnerable NiFi instances and gain unauthorized access to systems and data.
“The impact of this vulnerability is severe as it gives attackers the ability to gain unauthorized access to systems, exfiltrate sensitive data, and execute malicious code remotely,” notes Cyfirma in a bug analysis and its exploitation.
The bug affects NiFi versions 0.0.2 to 1.21.0 and was resolved with the release of NiFi version 1.22.0, which “disables JDBC H2 URLs in the default configuration.” As of August 30, a public exploit for this vulnerability existed, but no malicious exploitation of the flaw has been observed to date, notes Cyfirma.
The cybersecurity firm identified approximately 2,700 Internet-exposed Apache NiFi instances belonging to organizations across multiple industries, including finance, government, healthcare, telecommunications and others.
Considering the severity and impact of the bug and the fact that vulnerabilities in similar software products are known to have been exploited in large-scale attacks, organizations are advised to update their NiFi instances and remain vigilant to potential exploitation attempts.
Source: CisoAdvisor
