ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Qiang Zhang <zhangqia...@zte.com.cn>
Subject Review Request 69340: RANGER-2244 Tomcat Security Vulnerability Alert. The version of the tomcat for ranger should upgrade to 7.0.91 or later.
Date Thu, 15 Nov 2018 09:01:53 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69340/
-----------------------------------------------------------

Review request for ranger, Ankita Sinha, Don Bosco Durai, Colm O hEigeartaigh, Gautam Borad,
Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Nitin Galave, pengjianhua, Pradeep Agrawal,
Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, sam  rome, Venkat Ranganathan, and
Velmurugan Periasamy.


Bugs: RANGER-2244
    https://issues.apache.org/jira/browse/RANGER-2244


Repository: ranger


Description
-------

[SECURITY] CVE-2018-11784 Apache Tomcat - Open Redirect
CVE-2018-11784 Apache Tomcat - Open Redirect

Severity: Moderate

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 9.0.0.M1 to 9.0.11
Apache Tomcat 8.5.0 to 8.5.33
Apache Tomcat 7.0.23 to 7.0.90
The unsupported 8.0.x release line has not been analysed but is likely
to be affected.

Description:
When the default servlet returned a redirect to a directory (e.g.
redirecting to '/foo/' when the user requested '/foo') a specially
crafted URL could be used to cause the redirect to be generated to any
URI of the attackers choice.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:

Upgrade to Apache Tomcat 9.0.12 or later.
Upgrade to Apache Tomcat 8.5.34 or later.
Upgrade to Apache Tomcat 7.0.91 or later.
Use mapperDirectoryRedirectEnabled="true" and
mapperContextRootRedirectEnabled="true" on the Context to ensure that
redirects are issued by the Mapper rather than the default Servlet.
See the Context configuration documentation for further important
details.
Credit:
This vulnerability was found by Sergey Bobrov and reported responsibly
to the Apache Tomcat Security Team.

History:
2018-10-03 Original advisory

References:
[1] http://tomcat.apache.org/security-9.html
[2] http://tomcat.apache.org/security-8.html
[3] http://tomcat.apache.org/security-7.html


Diffs
-----

  embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java eac0dacaf

  pom.xml 514f87e7f 


Diff: https://reviews.apache.org/r/69340/diff/1/


Testing
-------

1.Modify the ssl configuration item in install.properties for the Ranger Admin.

**SSL config**

db_ssl_enabled=true
db_ssl_required=true
db_ssl_verifyServerCertificate=true
javax_net_ssl_keyStore=/opt/ranger-ssl/keystore
javax_net_ssl_keyStorePassword=hdp1234$
javax_net_ssl_trustStore=/opt/ranger-ssl/truststore
javax_net_ssl_trustStorePassword=hdp1234$
...


**------- PolicyManager CONFIG ----------------**


policymgr_external_url=https://localhost:6182
policymgr_http_enabled=false
policymgr_https_keystore_file=/opt/ranger-ssl/rangertomcatverify.jks
policymgr_https_keystore_keyalias=rangertomcatverify
policymgr_https_keystore_password=hdp1234$


2.Install the Ranger Admin


3.Modify the ssl configuration item in install.properties for the usersync.


**POLICY_MGR_URL = http://policymanager.xasecure.net:6080**


POLICY_MGR_URL = https://sslrangerserver:6182


**SSL Authentication**

AUTH_SSL_ENABLED=false
AUTH_SSL_KEYSTORE_FILE=/opt/ranger-ssl/keystore
AUTH_SSL_KEYSTORE_PASSWORD=hdp1234$
AUTH_SSL_TRUSTSTORE_FILE=/opt/ranger-ssl/truststore
AUTH_SSL_TRUSTSTORE_PASSWORD=hdp1234$


4.Install the Ranger usersync


5.Modified the ssl configuration item in install.properties for the kms.


**POLICY_MGR_URL = http://policymanager.xasecure.net:6080**


POLICY_MGR_URL = https://sslrangerserver:6182
db_ssl_enabled=true
db_ssl_required=true
db_ssl_verifyServerCertificate=true
db_ssl_auth_type=2-way
javax_net_ssl_keyStore=/opt/ranger-ssl/keystore
javax_net_ssl_keyStorePassword=hdp1234$
javax_net_ssl_trustStore=/opt/ranger-ssl/truststore
javax_net_ssl_trustStorePassword=hdp1234$


**SSL Client Certificate Information**


SSL_KEYSTORE_FILE_PATH=/opt/ranger-ssl/rangertomcatverify-keystore.jks
SSL_KEYSTORE_PASSWORD=myKeyFilePassword
SSL_TRUSTSTORE_FILE_PATH=/opt/ranger-ssl/rangertomcatverify-truststore.jks
SSL_TRUSTSTORE_PASSWORD=myTrustFilePassword


6.Install the KMS


7.Modified the ssl configuration item in install.properties for plugins


**POLICY_MGR_URL = http://policymanager.xasecure.net:6080**


POLICY_MGR_URL = https://sslrangerserver:6182


**SSL Client Certificate Information**


SSL_KEYSTORE_FILE_PATH=/opt/ranger-ssl/rangertomcatverify-keystore.jks
SSL_KEYSTORE_PASSWORD=myKeyFilePassword
SSL_TRUSTSTORE_FILE_PATH=/opt/ranger-ssl/rangertomcatverify-truststore.jks
SSL_TRUSTSTORE_PASSWORD=myTrustFilePassword


8.Install plugins


Thanks,

Qiang Zhang


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message