CVE-2017-12623

Vulnerability

An XML External Entity (XXE) vulnerability exists in the template upload functionality of Apache NiFi versions prior to 1.4.0 [1][2]. An authorized user with permission to upload templates can embed malicious XML External Entity declarations within a template file. When the system processes the uploaded template, the XML parser expands the external entity, allowing the attacker to read sensitive files from the server's file system. The vulnerability is addressed in Apache NiFi 1.4.0 [1][2].

Exploitation

To exploit this vulnerability, an attacker must have a valid user account authorized to upload templates to an Apache NiFi instance running a version prior to 1.4.0 [1][2]. The attacker crafts a template containing an XXE payload that references a sensitive local file (e.g., /etc/passwd or configuration files) [2]. Upon uploading the malicious template, the NiFi server processes the XML, and the external entity is resolved, causing the contents of the targeted file to be included in the parsed output, which may then be exposed to the attacker through the application's response or subsequent data processing [2].

Impact

Successful exploitation results in the disclosure of sensitive files from the Apache NiFi server [1][2]. This exposure can lead to information disclosure of system configuration, credentials, or other confidential data, compromising the confidentiality of the application and underlying infrastructure [2]. The attacker gains read access to files that the NiFi process has access to, potentially elevating the impact depending on the contents of the disclosed files [2].

Mitigation

The fixed version is Apache NiFi 1.4.0, released on 2017-10-10 [1][2]. All users running a prior 1.x release should upgrade to 1.4.0 or later [1][2]. No workaround is documented for this vulnerability. Users unable to upgrade immediately should restrict template upload permissions to only trusted users and monitor for suspicious template activity [1][2].