Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks

Hackers have set their sights on CVE-2023-34468, an RCE vulnerability in Apache NiFi that impacts thousands of organizations. 

Hackers have set their sights on CVE-2023-34468, an RCE vulnerability in Apache NiFi that impacts thousands of organizations. 

A high-severity remote code execution (RCE) vulnerability in Apache NiFi, for which an exploitation tool already exists, can lead to unauthorized access and data breaches, cybersecurity firm Cyfirma warns.

An open-source data integration and automation tool, Apache NiFi is used for the processing and distribution of data.

Tracked as CVE-2023-34468 (CVSS score of 8.8) and addressed in June 2023, the issue can be exploited by authenticated users to “configure a database URL with the H2 driver that enables custom code execution”.

The issue exists because certain NiFi services support configurable access to databases using JDBC and because any string could be introduced when setting properties such as the connection URL.

This essentially allows an attacker to craft connection strings for H2 – an embedded Java-based database typically used in Apache NiFi – to execute code remotely on vulnerable NiFi instances and gain unauthorized access to systems and data.

“The impact of this vulnerability is severe, as it grants attackers the ability to gain unauthorized access to systems, exfiltrate sensitive data, and execute malicious code remotely,” Cyfirma notes in an analysis of the bug and its exploitation.

The bug impacts NiFi versions 0.0.2 through 1.21.0 and was addressed with the release of NiFi version 1.22.0, which “disables H2 JDBC URLs in the default configuration”.

As of August 30, a public exploit exists for this vulnerability, but no malicious exploitation of the flaw has been observed to date, Cyfirma notes.

Advertisement. Scroll to continue reading.

However, considering the severity and impact of the bug, and the fact that vulnerabilities in similar software products are known to have been exploited in malicious attacks, organizations are advised to update their NiFi instances and remain vigilant of potential exploitation attempts.

“It is important to acknowledge that threat actors may attempt to exploit CVE-2023-34468 in Apache NiFi. This could lead to unauthorized access, data breaches, or network compromise. Organizations should take this risk seriously and apply patches or updates to secure their systems,” Cyfirma notes.

In fact, Cyfirma notes that it has observed cyber actors “actively discussing or exploiting CVE-2023-34468” on the dark web and that the attack complexity level for this bug is low.

The cybersecurity firm has identified roughly 2,700 Apache NiFi instances exposed to the internet, belonging to organizations in various sectors, including finance, government, healthcare, telecommunications, and others.

Related: Azure HDInsight Flaws Allowed Data Access, Session Hijacking, Payload Delivery

Related: OpenMeetings Flaws Allow Hackers to Hijack Instances, Execute Code on Servers

Related: Organizations Warned of Security Risk in Default Apache Superset Configurations

Related Content


CISA has added a critical-severity Apache Superset flaw (CVE-2023-27524) to its Known Exploited Vulnerabilities catalog.


Shadowserver sees possible in-the-wild exploitation of a critical Apache OFBiz vulnerability tracked as CVE-2023-49070.


Attackers are attempting to exploit a critical RCE flaw in Apache Struts 2 after researchers publish PoC code.


Apache has addressed a critical-severity Struts 2 file upload vulnerability that could lead to remote code execution.


A recently patched Apache ActiveMQ vulnerability tracked as CVE-2023-46604 is being exploited to deliver ransomware.


Attackers can exploit Apache Superset installations with default configurations to gain administrator access and execute code on servers and databases.

Copyright © 2024 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version