CVE-2023-36542 – This vulnerability allows authenticated and aut... (How to Fix)

Q: What is the severity of CVE-2023-36542?

CVE-2023-36542 has a CVSS score of 8.8 (HIGH). This vulnerability allows authenticated and authorized Apache NiFi users to configure HTTP URL references for retrieving drivers, enabling custom code execution. It affects Apache NiFi versions 0.0.2 through 1.22.0. The issue is mitigated by restricting configuration of these components to privileged users only.

📋 TL;DR

This vulnerability allows authenticated and authorized Apache NiFi users to configure HTTP URL references for retrieving drivers, enabling custom code execution. It affects Apache NiFi versions 0.0.2 through 1.22.0. The issue is mitigated by restricting configuration of these components to privileged users only.

💻 Affected Systems

Products:

Apache NiFi

Versions: 0.0.2 through 1.22.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user with authorization to configure Processors or Controller Services that support HTTP URL references.

📦 What is this software?

Nifi by Apache

View all CVEs affecting Nifi →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise through remote code execution, allowing attackers to execute arbitrary code with the privileges of the NiFi process, potentially leading to data theft, system takeover, or lateral movement.

🟠

Likely Case

Privilege escalation within NiFi environment, enabling unauthorized configuration changes, data manipulation, or installation of malicious components by authenticated users with limited permissions.

🟢

If Mitigated

Minimal impact as only privileged users can configure remote resource references, maintaining proper access controls and preventing unauthorized code execution.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires authenticated access and knowledge of NiFi configuration. No public exploit code has been disclosed as of the advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apache NiFi 1.23.0

Vendor Advisory: https://nifi.apache.org/security.html#CVE-2023-36542

Restart Required: Yes

Instructions:

1. Download Apache NiFi 1.23.0 or later from official Apache repository. 2. Backup current NiFi configuration and data. 3. Stop NiFi service. 4. Replace installation with new version. 5. Restore configuration if needed. 6. Start NiFi service.

🔧 Temporary Workarounds

Restrict User Permissions

all

Limit user permissions to prevent configuration of Processors and Controller Services with remote resource references.

nifi.sh set-permissions --user <username> --remove <permission-name>

🧯 If You Can't Patch

Implement strict access controls to limit which users can configure Processors and Controller Services
Monitor and audit configuration changes to Processors and Controller Services for suspicious HTTP URL references

🔍 How to Verify

Check if Vulnerable:

Check Apache NiFi version using the web UI or by examining the installation directory. Versions 0.0.2 through 1.22.0 are vulnerable.

Check Version:

Check NiFi web UI dashboard or examine ${NIFI_HOME}/lib/nifi-*.jar files for version information

Verify Fix Applied:

Verify installation of Apache NiFi 1.23.0 or later and confirm the 'Reference Remote Resources' permission is properly enforced.

📡 Detection & Monitoring

Log Indicators:

Unauthorized configuration changes to Processors or Controller Services
HTTP requests to external URLs from NiFi components
User permission changes related to remote resource references

Network Indicators:

Outbound HTTP requests from NiFi to untrusted external URLs for driver retrieval

SIEM Query:

source="nifi" AND (event_type="configuration_change" OR event_type="permission_change") AND (resource_type="Processor" OR resource_type="ControllerService")

📊 Metadata

CVE ID: CVE-2023-36542

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: July 29, 2023

Last Updated: February 13, 2025

🔗 References

http://seclists.org/fulldisclosure/2023/Jul/43 Not Applicable
http://www.openwall.com/lists/oss-security/2023/07/29/1 Mailing List,Third Party Advisory
https://lists.apache.org/thread/swnly3dzhhq9zo3rofc8djq77stkhbof Issue Tracking,Mailing List,Vendor Advisory
https://nifi.apache.org/security.html#CVE-2023-36542 Vendor Advisory
http://seclists.org/fulldisclosure/2023/Jul/43 Not Applicable
http://www.openwall.com/lists/oss-security/2023/07/29/1 Mailing List,Third Party Advisory
https://lists.apache.org/thread/swnly3dzhhq9zo3rofc8djq77stkhbof Issue Tracking,Mailing List,Vendor Advisory
https://nifi.apache.org/security.html#CVE-2023-36542 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-36542, you might also want to check these: