Apache NiFi Untrusted Data Deserialization Vulnerability in GetAsanaObject Processor

A vulnerability exists in Apache NiFi versions 1.20.0 through 2.6.0 within the GetAsanaObject Processor. This processor requires integration with a configurable Distribute Map Cache Client Service to store and retrieve state information. The vulnerability arises because the processor employs generic Java Object serialization and deserialization without proper filtering, leaving it susceptible to crafted state information from the cache server. Exploitation necessitates an active Apache NiFi system with the GetAsanaObject Processor and direct access to the configured cache server.

Impact

Exploitation of this vulnerability allows for unfiltered Java object deserialization, which can be manipulated to craft state information that the processor will accept and process, potentially leading to unauthorized actions or data manipulation within the NiFi environment.

Remediation

Users are advised to upgrade to Apache NiFi version 2.7.0, which replaces Java Object serialization with JSON serialization, mitigating the vulnerability. Alternatively, the GetAsanaObject Processor can be removed from the nifi-asana-processors-nar bundle to prevent exploitation.