Tags • Security
Modernizing Streaming Encryption with age in Apache NiFi
Apache NiFi 2.0.0-M1 and 1.24.0 introduced new Processors supporting the age-encryption.org/v1 specification. Built on the Jagged framework implementation, the EncryptContentAge and DecryptContentAge Processors perform streaming cipher operations using the ChaCha20-Poly1305 algorithm. The age specification supports key agreement using the elliptic curve X25519 function, providing a modern solution for automated encryption and decryption with standard key pairs.
Firsthand Analysis of Apache NiFi Vulnerability CVE-2023-34468
Recent reporting on Apache NiFi vulnerability CVE-2023-34468 has highlighted significant concerns related to potential remote code execution. Although upgrading to the latest version of Apache NiFi remains the recommended solution, a closer evaluation of the vulnerability shows important details glossed over in published analysis. Exploiting H2 database connection strings requires both authentication and sufficient authorization, the importance of which is missing from recent reporting.
Introducing Jagged for age Encryption in Java
Jagged is a set of Java libraries supporting the age encryption specification. Designed as a simple and modern file encryption standard, age builds on trusted cryptographic algorithms and provides a concise structure for formatting header and payload information. Jagged provides a modular implementation to enable application integration for automated or interactive use cases.
Supporting OIDC Refresh Tokens in Apache NiFi
Apache NiFi 1.21.0 introduced support for OAuth 2 Refresh Tokens as part of redesigned OpenID Connect integration. Refresh Tokens support extended application sessions while maintaining security using Access Tokens with short expirations. Redesigned OIDC integration is compatible with existing deployments and provides additional security with standardized OAuth 2 Token Revocation.
SSHJ Key Authentication Formats
SSHJ is a Java library supporting SSH and SFTP client operations. As the SSH protocol has evolved to support multiple authentication strategies, SSHJ has adapted to support a variety of formats and algorithms for public key authentication. Based on an extensible design, SSHJ is capable of loading and using keys from a number of different source formats.
Backward Compatible Content Decryption in Apache NiFi
Backward compatibility is both an important and challenging part of software engineering. Decrypting information using legacy algorithms requires additional maintenance, but it provides a migration path for better alternatives. Apache NiFi 1.20.0 introduced new content decryption processors to enable migration from weak and proprietary formats to more robust options.
Integrating Apache NiFi with Okta LDAP Groups
Lightweight Directory Access Protocol supports a number of integration strategies in Apache NiFi, including authentication and authorization. LDAP can be used in conjunction with single sign-on solutions to provide user enumeration and group membership for NiFi access policies. In addition to serving as an Identity Provider using OIDC or SAML, Okta provides an LDAP interface for centralized management and retrieval of users and groups.
Integrating Apache NiFi with Okta OIDC Authentication
Apache NiFi has supported single sign-on authentication using OpenID Connect since version 1.4.0. Building on the OAuth 2.0 specification, OIDC supports delegated authentication using standard credential processing flows. The Okta identity platform provides configurable OIDC authentication, enabling centralized identity management and access policy enforcement. Okta delivers a well-documented implementation of OpenID Connect, supporting a robust authentication strategy for NiFi deployments.
Integrating Apache NiFi with Okta SAML Authentication
Apache NiFi 1.13.0 introduced support for single sign-on authentication through a SAML identity provider. NiFi 1.17.0 included a refactored implementation based on Spring Security 5 while maintaining compatible points of integration. The Okta identity platform enables configurable SAML 2.0 authentication, supporting federated access as well as group management and single logout processing. Configuring Apache NiFi with Okta SAML provides a strong access management solution.
Implementing Apache NiFi Support for Sensitive Dynamic Properties
Apache NiFi 1.17.0 introduced framework support for sensitive dynamic properties, allowing operators to protect custom properties in selected components. Sensitive dynamic properties enable component developers to support flexible configuration while maintaining system security.
Analyzing and Mitigating XML External Entity Vulnerabilities in Apache NiFi
Apache NiFi 1.16.1 resolved XML external entity vulnerabilities in multiple components, described in CVE-2022-29265. Reviewing current and previous XML vulnerabilities enables an accurate characterization of the impact on particular deployments. A summary of the resolution provides useful details for any project that performs XML processing.
Evaluating Log4Shell and Apache NiFi
The Apache Log4j 2 arbitrary code execution vulnerability known as Log4Shell has impacted numerous products and services. Although Apache NiFi does not use Log4j 2 directly, several extension components include library references that should be considered.
Configuring Apache NiFi Repository Encryption
Configurable information storage is a core feature of Apache NiFi. Multiple releases have expanded support for encrypting information in application repositories. Recent updates in NiFi 1.15.0 have streamlined both the implementation and the configuration associated with repository encryption.
Improving JWT Authentication in Apache NiFi
JSON Web Tokens provide authorized access to Apache NiFi for a number of authentication strategies. Recent changes to JWT handling have improved the security posture of several important elements including key generation, secret storage, signature verification, and token revocation.
Deciphering Apache NiFi Component Property Encryption
Encrypting sensitive component properties is one of the foundational features of Apache NiFi. Understanding and configuring the required settings is essential to deploying a secure system.
Single User Access and HTTPS in Apache NiFi
Apache NiFi 1.14.0 builds on a foundation of configurable security and provides a better starting point for simple deployments. Single user authentication and automatic certificate generation for HTTPS access close several gaps in the default configuration.