Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2023-34468

CVE-2023-34468: Apache NiFi RCE Vulnerability

CVE-2023-34468 is a remote code execution flaw in Apache NiFi affecting versions 0.0.2 through 1.21.0. Attackers can exploit database connection pools to execute custom code. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2023-34468 Overview

CVE-2023-34468 is a Remote Code Execution (RCE) vulnerability affecting Apache NiFi's DBCPConnectionPool and HikariCPConnectionPool Controller Services. An authenticated and authorized user can configure a Database URL with the H2 driver that enables custom code execution on the underlying server. This vulnerability allows attackers with valid credentials to leverage the H2 database JDBC connection string to execute arbitrary code, potentially leading to complete system compromise.

Critical Impact

Authenticated attackers can achieve remote code execution by exploiting H2 database connection string injection in Apache NiFi's connection pool services, potentially leading to full system compromise.

Affected Products

  • Apache NiFi versions 0.0.2 through 1.21.0
  • DBCPConnectionPool Controller Service
  • HikariCPConnectionPool Controller Service

Discovery Timeline

  • 2023-06-12 - CVE-2023-34468 published to NVD
  • 2025-02-13 - Last updated in NVD database

Technical Details for CVE-2023-34468

Vulnerability Analysis

This vulnerability exists in Apache NiFi's database connection pool services, specifically the DBCPConnectionPool and HikariCPConnectionPool Controller Services. The root issue stems from inadequate validation of Database URL configurations when using the H2 JDBC driver. H2 is an embedded Java SQL database that supports various connection string features, including the ability to execute Java code through INIT scripts or other mechanisms.

When an authenticated user configures a database connection, they can craft a malicious H2 JDBC URL that triggers code execution. The H2 database driver supports several dangerous connection string parameters that can be exploited, such as INIT for executing SQL scripts at connection time, which can include RUNSCRIPT FROM directives that load and execute external scripts.

The vulnerability requires authentication, meaning an attacker must have valid credentials to access the NiFi web interface and permissions to configure Controller Services. However, once authenticated, the attack can be executed remotely over the network without user interaction. The impact is severe as successful exploitation grants the attacker the ability to execute arbitrary code with the privileges of the NiFi process, potentially leading to complete confidentiality, integrity, and availability compromise.

Root Cause

The root cause is improper input validation (CWE-94: Code Injection) in the database connection URL handling. Apache NiFi's connection pool services did not properly validate or sanitize Database URL configurations, allowing specially crafted H2 JDBC connection strings to execute arbitrary code. The H2 driver provides features that, while legitimate for development purposes, can be weaponized when exposed to user-controlled input.

Attack Vector

The attack vector is network-based, requiring an authenticated attacker to access the NiFi web interface. The attacker exploits the vulnerability by creating or modifying a DBCPConnectionPool or HikariCPConnectionPool Controller Service with a malicious H2 JDBC URL. The malicious URL leverages H2-specific features such as INIT=RUNSCRIPT FROM to execute arbitrary SQL or Java code when the connection pool initializes or tests the connection.

The attack flow typically involves:

  1. Authenticating to the Apache NiFi web interface
  2. Navigating to Controller Services configuration
  3. Creating or modifying a connection pool service
  4. Setting the Database URL to a malicious H2 JDBC connection string containing code execution payloads
  5. Triggering the connection (e.g., by testing or enabling the service)

Technical details and exploitation methodology can be found in the Packet Storm RCE Exploit and the Cyfirma Vulnerability Analysis.

Detection Methods for CVE-2023-34468

Indicators of Compromise

  • Controller Service configurations containing H2 JDBC URLs with suspicious parameters like INIT, RUNSCRIPT, or TRACE_LEVEL
  • Unexpected processes spawned by the NiFi Java process
  • Unusual network connections originating from the NiFi server
  • Modifications to Controller Service configurations by unexpected users

Detection Strategies

  • Monitor NiFi audit logs for Controller Service creation or modification events involving database connection pools
  • Implement alerts for Database URL configurations containing h2: JDBC prefixes
  • Deploy endpoint detection to identify suspicious child processes spawned by the NiFi service
  • Review Controller Service configurations for H2 database connections that should not exist in production environments

Monitoring Recommendations

  • Enable comprehensive audit logging in Apache NiFi for all configuration changes
  • Implement SIEM rules to detect H2 JDBC URL patterns in NiFi configuration events
  • Monitor for unusual code execution or system calls from the NiFi process
  • Establish baseline behavior for NiFi process activity and alert on anomalies

How to Mitigate CVE-2023-34468

Immediate Actions Required

  • Upgrade Apache NiFi to version 1.22.0 or later immediately
  • Audit existing Controller Service configurations for H2 database connections
  • Review access controls to ensure only trusted users can configure Controller Services
  • Implement network segmentation to limit exposure of NiFi management interfaces

Patch Information

Apache has released version 1.22.0 which addresses this vulnerability by validating Database URLs and rejecting H2 JDBC locations. The fix prevents the configuration of H2 database connections through the affected Controller Services. Organizations should upgrade to version 1.22.0 or later as recommended in the Apache NiFi CVE-2023-34468 Advisory and the Apache Mailing List Thread.

Workarounds

  • Restrict access to Controller Service configuration to only highly trusted administrators
  • Implement network-level access controls to limit who can access the NiFi web interface
  • Remove or disable any existing H2 database connections in Controller Services
  • Consider deploying a web application firewall (WAF) to filter malicious JDBC URL patterns
bash
# Verify current Apache NiFi version
./bin/nifi.sh status

# Check for H2 database connections in flow configuration
grep -i "h2:" conf/flow.xml.gz

# Upgrade to patched version
./bin/nifi.sh stop
# Download and install NiFi 1.22.0 or later
# Migrate configuration and restart
./bin/nifi.sh start

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne