CVE-2024-52067: Sensitive Data Exposed in Apache NiFi Debug Logs
A newly discovered vulnerability in Apache NiFi could inadvertently expose sensitive parameter values in debug logs, potentially compromising confidential information. The flaw, tracked as CVE-2024-52067, affects Apache NiFi versions 1.16.0 through 1.28.0 and 2.0.0-M1 through 2.0.0-M4.
Apache NiFi is a dataflow system based on the concepts of flow-based programming. It supports powerful and scalable directed graphs of data routing, transformation, and system mediation logic. NiFi has a web-based user interface for design, control, feedback, and monitoring of dataflows.
The vulnerability stems from optional debug logging functionality within NiFi’s flow synchronization process. While this logging is not enabled by default, an authorized administrator with the ability to modify logging levels could inadvertently expose parameter names and values in the application log.
“Parameter Context values may contain sensitive information depending on application flow configuration,” warns the official security bulletin. This means that depending on how NiFi is configured, critical data could be leaked through these debug logs.
Fortunately, deployments using the default Logback configuration are not susceptible to this vulnerability. However, organizations running non-standard configurations are urged to take immediate action.
The recommended mitigation is to upgrade to either Apache NiFi 2.0.0 or 1.28.1. These versions have eliminated parameter value logging from the flow synchronization process, regardless of the Logback configuration, effectively patching the vulnerability.
