A high-severity remote code execution (RCE) vulnerability in Apache NiFi, for which an exploitation tool already exists, can lead to unauthorized access and data breaches, cybersecurity firm Cyfirma warns.
An open-source data integration and automation tool, Apache NiFi is used for the processing and distribution of data.
Tracked as CVE-2023-34468 (CVSS score of 8.8) and addressed in June 2023, the issue can be exploited by authenticated users to “configure a database URL with the H2 driver that enables custom code execution”.
The issue exists because certain NiFi services support configurable access to databases using JDBC and because any string could be introduced when setting properties such as the connection URL.
This essentially allows an attacker to craft connection strings for H2 – an embedded Java-based database typically used in Apache NiFi – to execute code remotely on vulnerable NiFi instances and gain unauthorized access to systems and data.
“The impact of this vulnerability is severe, as it grants attackers the ability to gain unauthorized access to systems, exfiltrate sensitive data, and execute malicious code remotely,” Cyfirma notes in an analysis of the bug and its exploitation.
The bug impacts NiFi versions 0.0.2 through 1.21.0 and was addressed with the release of NiFi version 1.22.0, which “disables H2 JDBC URLs in the default configuration”.
As of August 30, a public exploit exists for this vulnerability, but no malicious exploitation of the flaw has been observed to date, Cyfirma notes.
However, considering the severity and impact of the bug, and the fact that vulnerabilities in similar software products are known to have been exploited in malicious attacks, organizations are advised to update their NiFi instances and remain vigilant of potential exploitation attempts.
“It is important to acknowledge that threat actors may attempt to exploit CVE-2023-34468 in Apache NiFi. This could lead to unauthorized access, data breaches, or network compromise. Organizations should take this risk seriously and apply patches or updates to secure their systems,” Cyfirma notes.
In fact, Cyfirma notes that it has observed cyber actors “actively discussing or exploiting CVE-2023-34468” on the dark web and that the attack complexity level for this bug is low.
The cybersecurity firm has identified roughly 2,700 Apache NiFi instances exposed to the internet, belonging to organizations in various sectors, including finance, government, healthcare, telecommunications, and others.