Firsthand Analysis of Apache NiFi Vulnerability CVE-2023-34468
Remote code execution vulnerabilities receive heightened attention, with good reason, in light of the broad impact of such breaches. The prevalence of computing technology has raised awareness of the need for rapid security reporting and responsive mitigation. It is in the interest of both software engineers and system operators to stay current with the latest updates to individual libraries and deployed applications. Various products and services attempt to assist engineers in finding and analyzing security vulnerabilities, but the level of detail provided is sometimes lacking.
Apache NiFi vulnerability CVE-2023-344648 presents an opportunity for a closer analysis of initial disclosure, impact scope, and subsequent reporting. This particular issue is a good example of responsible and collaborative vulnerability resolution in the context of open source software. The vulnerability itself and published reporting highlight the need for accurate impact assessments. Vulnerability disclosure can be challenging as the need for openness can conflict with the desire to avoid enabling malicious actors. No matter the amount of detail, however, having a clear and concise understanding of the threat model is vital to disclosure, analysis, and mitigation.
The National Vulnerability Database assigned a base score of 8.8 on a scale of 1 to 10 for CVE-2023-344648, rating it with a high severity. Although the calculated score raises significant concerns, the exploitability of the problem is lower than the assigned numbers would indicate. Exploitation of the vulnerability requires successful authentication and sufficient permissions to modify and operate specific processing components.
With the release of Apache NiFi 1.14.0 in July 2021, default installations require username and password authentication over encrypted HTTPS, limiting access to authenticated users. For installations configured with standard managed authorization and access policies, the initial configuration limits access to one administrative user responsible for defining policies. These constraints heighten privilege requirements necessary to trigger the vulnerability. Access controls also raise the attack complexity level, requiring an attacker to use alternative strategies to acquire credentials necessary for authentication. Even after successful authentication, the authenticated user must have sufficient permissions to configure and run targeted components.
The impact of successful vulnerability exploitations remains high for system confidentiality, integrity, and availability, given the nature of remote code execution. Mitigating factors in secured deployments effectively reduce the overall severity of CVE-2023-34468 from high to medium. Standard Apache NiFi capabilities including HTTP request logging and flow configuration history can be used to audit system activity, providing additional defenses against malicious actions from authenticated and authorized users.
The Apache Software Foundation provides a well-defined process for handling possible vulnerabilities in projects. The Apache NiFi Security guidelines summarize the steps involved. Addressing security concerns begins with a summary of the problem and documentation of reproducible steps. During the initial review, both the reporter and project maintainers are responsible for evaluating the problem privately before making a disclosure. When project maintainers accept a reported vulnerability, the process of implementing a mitigation begins. Following implementation, review, and merging of changes, the project prepares a vulnerability announcement for publication in conjunction with release of a new version.
Matei “Mal” Badanoiu followed project guidelines and presented a thorough report of findings to the Apache NiFi Security Team on 2023-06-06. The report provided specific operating system and project version information with clear instructions outlining the steps required to reproduce the problem. Project maintainers reviewed the findings, responded to the reporter, and implemented a resolution on 2023-06-06. The Apache NiFi project released version 1.22.0 on 2023-06-11, publishing the vulnerability as CVE-2023-34468.
Following the publication and resolution of CVE-2023-34468, Matei “Mal” Badanoiu provided additional reporting on incomplete validation of JDBC connection URLs. After initial reporting on 2023-08-03 and collaborative discussion of the issue, project maintainers accepted the findings and reserved CVE-2023-40037 on 2023-08-08, releasing a resolution in Apache NiFi 1.23.1 on 2023-08-18. The attention to detail and additional effort on the part of the reporter illustrate the positive results of coordination between security researches and open source projects.
Exploiting CVE-2023-34468 depends on a combination of the H2 database driver, Apache NiFi database connection pooling Controller Services, and an Apache NiFi Processor capable of using database connections.
H2 Database Capabilities
The primary point of attack depends on access to the embedded H2 database driver. H2 is a Java library that supports relational database access with memory-based or file-based storage options. Apache NiFi has used H2 for local caching of user session information and identity provider groups, as well as flow configuration history. These features required bundling H2 in standard distributions of project binaries.
The root of the vulnerability is H2 support for creating and running user-defined functions containing custom Java code. H2 directives such as CREATE ALIAS and CREATE TRIGGER support defining commands with custom Java code for subsequent execution. These commands run in the same Java Virtual Machine as the calling application, executing with the same operating system privileges. The ability to define and run custom Java code presents a number of potential paths for exploitation, with core classes such as java.lang.Runtime and java.lang.ProcessBuilder supporting the execution of operating system commands.
Database Connection Pooling Services
Apache NiFi has supported configurable database access using the DBCPConnectionPool Controller Service since the release of version 0.2.0. Apache NiFi 1.16.0 introduced HikariCPConnectionPool based on the HikariCP library as an alternative solution for relational database connection pooling. Both of these Controller Services support configurable database access using external JDBC libraries specified in component properties. This approach enables NiFi flow administrators to reference JDBC libraries from any vendor. The option to configure an external library avoids coupling the connection pooling services to particular drivers.
Based on the configurable properties of database connection pooling services, authorized NiFi users could an H2 database connection. With the H2 driver packaged as part of standard project binaries, configuring an H2 connection did not require downloading the driver library from an external location.
Apache NiFi includes a set of standard
access policies that regulate
the abilities of authenticated users. Application
Component Access Policies
modify the component and
operate the component, which an administrator must grant for NiFi users to create
and enable Controller Services. Without both of these policies assigned, an authenticated NiFi user cannot configure an
H2 database connection, mitigating potential threats.
Exercising H2 database connections requires not only configuring a database connection pool, but also configuring a Processor that references the Controller Service. Applicable Processors include ExecuteSQL and PutSQL among others. Configuring and running Processors requires the same component access policies described for database connection pooling services. Running a Processor that references a database Controller Service triggers the creation of an H2 database connection, with the potential for executing user-defined functions.
Exploiting vulnerable H2 database connections in Apache NiFi involves access credentials capable of administering NiFi flows. The initial NVD base score of 8.8 included an Attack Complexity rating of Low and a Privileges Required rating of Low. For Apache NiFi deployments configured with authentication over HTTPS, however, the Attack Complexity should be considered High and the Privileges Required should also be considered High. Adjusting the Attack Complexity and Privileges required have a notable influence on the overall CVSS 3.1 rating.
Starting with Apache NiFi 1.14.0, the default installation generates a random username and random password with lengths sufficient to frustrate most brute force access techniques. Earlier versions of Apache NiFi with HTTPS enabled also provide foundational defenses against exploitation. This highlights the importance of secure configuration defaults. With authentication requirements configured, an attacker cannot trigger code execution. From this perspective, the attack complexity is much higher, requiring techniques outside the scope of CVE-2023-34468.
Compromising user credentials is also insufficient if the user is not granted access to modify and operate components. This emphasizes the value of applying the principle of least privilege when defining and applying access policies. Access to create, enable, and run components falls into the realm of elevated permissions, raising the privileges required beyond those of a standard user.
The point of reviewing access requirements is not to discourage upgrading to patched versions of Apache NiFi, but to provide a complete context for threat evaluation.
Published Exploitation and Analysis
After initial disclosure and patching in June 2023, several months passed before renewed attention to CVE-2023-34468. Interest in the vulnerability has increased since August 2023 with the publication of exploit code and subsequent reporting from several sources.
Exploit Code Publication
Following the release of Apache NiFi 1.23.1 to resolve the related vulnerability CVE-2023-40037, security researchers published Apache NiFi H2 Connection String Remote Code Execution on Packet Storm. The exploit code runs on the Metasploit framework. The exploit requires authentication using a Bearer Token, which in turn requires authentication credentials to obtain using the NiFi REST API.
Based on the version published on 2023-08-30, the exploit code depends on the H2 database driver located in a specific directory for the Apache NiFi Toolkit. The Toolkit is packaged separately from from the standard release binary version of Apache NiFi. The Apache NiFi unofficial Docker container includes the Toolkit, indicating that the exploit code is targeted to deployments based on containerized deployments. Apache NiFi also includes the H2 driver at a different location. The difference does not provide protection against the vulnerability itself, but it indicates a level of knowledge required for exploitation.
Based on NVD scoring and exploit code publication, CYFIRMA Research published a report about CVE-2023-34468 on 2023-09-28, describing the vulnerability and exploitation. The report commends the collaboration of security researches with the Apache Software Foundation leading to prompt resolution. The report also summarizes the number of known hosts running Apache NiFi, and walks through the execution process of the Metasploit exploitation.
Although listing strict access controls among other mitigation strategies, the research does not indicate that exploitation requires successful authentication and sufficient authorization. The exploit workflow description notes that initialization requires several parameters including the HTTP base URL, but it fails to mention the requirement of an authenticated bearer token. The remainder of the workflow description contains a helpful summary of the exploitation process, but without authorization, none of the steps described can succeed. CYFIRMA Research also published an audio summary of their research on PlayerFM as podcast Episode 042.
Following the publication of analysis from CYFIRMA Research, SecurityWeek picked up the story and published Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks on 2023-09-29. SecurityWeek correspondent Ionut Arghire published the summary of the CYFIRMA Research analysis, emphasizing the high severity rating of remote code execution. The article correctly notes the ability to execute code using crafted H2 database connections, and accurately cites the original vulnerability notification in stating that the issue can be exploited by an authenticated user. The summary does not mention authorization requirements for successful exploitation. As an example of additional summary reporting, OODA Loop published a single paragraph description of the article from SecurityWeek. The summary retained mention of exploitation from an authenticated user, but did not mention authorization.
Software maintenance and vulnerability mitigation are cyclical efforts that can be difficult to prioritize when compared to other requirements. Upgrading is often tedious and disruptive. At the same time, automated services attempt to categorize known vulnerabilities based on quantified attributes, with the goal of assisting administrators and managers in evaluating relative levels of concern. Thorough source code analysis is not available for every published vulnerability, but security tooling continues advancing.
Understanding the threat model and attack vectors of particular vulnerabilities is vital to both analysis and mitigation. Apache NiFi CVE-2023-34468 illustrates the importance of moving past the headlines and evaluating the exploitability of the problem. Knowing both the nature of the threat and the deployment environment is critical. An accurate perspective on the potential impact is important, and should be sufficient reason for upgrading to patched releases. At the same time, a clear assessment of the barriers to exploitation is the most actionable information.