CVE-2024-52067
📋 TL;DR
Apache NiFi versions 1.16.0-1.28.0 and 2.0.0-M1-2.0.0-M4 have debug logging that can expose sensitive parameter values when enabled. Authorized administrators can enable debug logging during flow synchronization, causing parameter names and values to be written to application logs. This affects deployments where administrators have logging configuration access and parameter contexts contain sensitive data.
💻 Affected Systems
- Apache NiFi
📦 What is this software?
Nifi by Apache
Nifi by Apache
Nifi by Apache
Nifi by Apache
Nifi by Apache
Nifi by Apache
Nifi by Apache
Nifi by Apache
Nifi by Apache
Nifi by Apache
Nifi by Apache
Nifi by Apache
Nifi by Apache
Nifi by Apache
Nifi by Apache
Nifi by Apache
Nifi by Apache
⚠️ Risk & Real-World Impact
Worst Case
Sensitive credentials, API keys, or other secrets stored in Parameter Contexts are exposed in application logs, potentially leading to credential theft and system compromise.
Likely Case
Authorized administrators accidentally or intentionally enable debug logging, exposing parameter values to anyone with log access, potentially violating data protection requirements.
If Mitigated
With default Logback configuration, no parameter values are logged, limiting exposure to systems where debug logging has been manually enabled.
🎯 Exploit Status
Requires authorized administrator access to change logging levels. No special tools or techniques needed beyond enabling debug logging.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apache NiFi 2.0.0 or 1.28.1
Vendor Advisory: https://lists.apache.org/thread/9rz5rwn2zc7pfjq7ppqldqlc067tlcwd
Restart Required: Yes
Instructions:
1. Download Apache NiFi 2.0.0 or 1.28.1 from official Apache website. 2. Backup current configuration and data. 3. Stop NiFi service. 4. Replace installation with patched version. 5. Restore configuration and data. 6. Start NiFi service.
🔧 Temporary Workarounds
Disable debug logging for flow synchronization
allEnsure debug logging is not enabled for org.apache.nifi.controller.flow.FlowSynchronization class
Check logback.xml configuration for <logger name="org.apache.nifi.controller.flow.FlowSynchronization" level="INFO"/>
Restrict logging configuration access
allLimit which administrators can modify logging levels
🧯 If You Can't Patch
- Audit and restrict administrator access to logging configuration
- Regularly review application logs for parameter value exposure
🔍 How to Verify
Check if Vulnerable:
Check NiFi version and verify if debug logging is enabled for org.apache.nifi.controller.flow.FlowSynchronization in logback.xmlCheck Version:
Check nifi-app.log for version information or run: java -jar nifi-app.jar --versionVerify Fix Applied:
Verify NiFi version is 2.0.0 or 1.28.1, or test that enabling debug logging for FlowSynchronization no longer logs parameter values📡 Detection & Monitoring
Log Indicators:
- Parameter values appearing in logs with DEBUG level entries from FlowSynchronization class
SIEM Query:
source="nifi-app.log" AND "DEBUG" AND "FlowSynchronization" AND "Parameter"