Unprotected Apache NiFi API interface
Description
Apache NiFi is a data flow automation tool that, in its default configuration, operates over unencrypted HTTP without authentication requirements. This means any user who can access the NiFi web interface automatically receives full administrative privileges, allowing unrestricted control over data flows, processors, and system configurations.
This vulnerability exists when NiFi is deployed with default security settings that do not enforce user authentication or access controls.
Remediation
Immediately secure the Apache NiFi installation by implementing the following steps:
1. Enable HTTPS: Configure NiFi to use TLS/SSL encryption by updating the nifi.properties file with appropriate keystore and truststore settings.
2. Enable Authentication: Configure one of the supported authentication methods in nifi.properties. For single-user authentication, generate credentials using:
./bin/nifi.sh set-single-user-credentials <username> <password>
For multi-user environments, configure LDAP, Kerberos, or OIDC authentication as appropriate for your organization.
3. Restrict Network Access: Use firewall rules or network segmentation to limit access to the NiFi interface (default port 8443 for HTTPS) to only authorized IP addresses or networks.
4. Configure Authorization: Define user roles and policies in NiFi's authorizers.xml to implement least-privilege access controls.
Refer to the official Apache NiFi Administration Guide for detailed configuration instructions specific to your version.