ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mehul Parikh <mehul.par...@freestoneinfotech.com>
Subject Re: Review Request 69340: RANGER-2244 Tomcat Security Vulnerability Alert. The version of the tomcat for ranger should upgrade to 7.0.91 or later.
Date Fri, 23 Nov 2018 13:18:00 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69340/#review210829
-----------------------------------------------------------


Ship it!




Ship It!

- Mehul Parikh


On Nov. 15, 2018, 9:01 a.m., Qiang Zhang wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69340/
> -----------------------------------------------------------
> 
> (Updated Nov. 15, 2018, 9:01 a.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Don Bosco Durai, Colm O hEigeartaigh, Gautam
Borad, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Nitin Galave, pengjianhua, Pradeep
Agrawal, Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, sam  rome, Venkat Ranganathan,
and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-2244
>     https://issues.apache.org/jira/browse/RANGER-2244
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> [SECURITY] CVE-2018-11784 Apache Tomcat - Open Redirect
> CVE-2018-11784 Apache Tomcat - Open Redirect
> 
> Severity: Moderate
> 
> Vendor: The Apache Software Foundation
> 
> Versions Affected:
> Apache Tomcat 9.0.0.M1 to 9.0.11
> Apache Tomcat 8.5.0 to 8.5.33
> Apache Tomcat 7.0.23 to 7.0.90
> The unsupported 8.0.x release line has not been analysed but is likely
> to be affected.
> 
> Description:
> When the default servlet returned a redirect to a directory (e.g.
> redirecting to '/foo/' when the user requested '/foo') a specially
> crafted URL could be used to cause the redirect to be generated to any
> URI of the attackers choice.
> 
> Mitigation:
> Users of the affected versions should apply one of the following
> mitigations:
> 
> Upgrade to Apache Tomcat 9.0.12 or later.
> Upgrade to Apache Tomcat 8.5.34 or later.
> Upgrade to Apache Tomcat 7.0.91 or later.
> Use mapperDirectoryRedirectEnabled="true" and
> mapperContextRootRedirectEnabled="true" on the Context to ensure that
> redirects are issued by the Mapper rather than the default Servlet.
> See the Context configuration documentation for further important
> details.
> Credit:
> This vulnerability was found by Sergey Bobrov and reported responsibly
> to the Apache Tomcat Security Team.
> 
> History:
> 2018-10-03 Original advisory
> 
> References:
> [1] http://tomcat.apache.org/security-9.html
> [2] http://tomcat.apache.org/security-8.html
> [3] http://tomcat.apache.org/security-7.html
> 
> 
> Diffs
> -----
> 
>   embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java
eac0dacaf 
>   pom.xml 514f87e7f 
> 
> 
> Diff: https://reviews.apache.org/r/69340/diff/1/
> 
> 
> Testing
> -------
> 
> 1.Modify the ssl configuration item in install.properties for the Ranger Admin.
> 
> **SSL config**
> 
> db_ssl_enabled=true
> db_ssl_required=true
> db_ssl_verifyServerCertificate=true
> javax_net_ssl_keyStore=/opt/ranger-ssl/keystore
> javax_net_ssl_keyStorePassword=hdp1234$
> javax_net_ssl_trustStore=/opt/ranger-ssl/truststore
> javax_net_ssl_trustStorePassword=hdp1234$
> ...
> 
> 
> **------- PolicyManager CONFIG ----------------**
> 
> 
> policymgr_external_url=https://localhost:6182
> policymgr_http_enabled=false
> policymgr_https_keystore_file=/opt/ranger-ssl/rangertomcatverify.jks
> policymgr_https_keystore_keyalias=rangertomcatverify
> policymgr_https_keystore_password=hdp1234$
> 
> 
> 2.Install the Ranger Admin
> 
> 
> 3.Modify the ssl configuration item in install.properties for the usersync.
> 
> 
> **POLICY_MGR_URL = http://policymanager.xasecure.net:6080**
> 
> 
> POLICY_MGR_URL = https://sslrangerserver:6182
> 
> 
> **SSL Authentication**
> 
> AUTH_SSL_ENABLED=false
> AUTH_SSL_KEYSTORE_FILE=/opt/ranger-ssl/keystore
> AUTH_SSL_KEYSTORE_PASSWORD=hdp1234$
> AUTH_SSL_TRUSTSTORE_FILE=/opt/ranger-ssl/truststore
> AUTH_SSL_TRUSTSTORE_PASSWORD=hdp1234$
> 
> 
> 4.Install the Ranger usersync
> 
> 
> 5.Modified the ssl configuration item in install.properties for the kms.
> 
> 
> **POLICY_MGR_URL = http://policymanager.xasecure.net:6080**
> 
> 
> POLICY_MGR_URL = https://sslrangerserver:6182
> db_ssl_enabled=true
> db_ssl_required=true
> db_ssl_verifyServerCertificate=true
> db_ssl_auth_type=2-way
> javax_net_ssl_keyStore=/opt/ranger-ssl/keystore
> javax_net_ssl_keyStorePassword=hdp1234$
> javax_net_ssl_trustStore=/opt/ranger-ssl/truststore
> javax_net_ssl_trustStorePassword=hdp1234$
> 
> 
> **SSL Client Certificate Information**
> 
> 
> SSL_KEYSTORE_FILE_PATH=/opt/ranger-ssl/rangertomcatverify-keystore.jks
> SSL_KEYSTORE_PASSWORD=myKeyFilePassword
> SSL_TRUSTSTORE_FILE_PATH=/opt/ranger-ssl/rangertomcatverify-truststore.jks
> SSL_TRUSTSTORE_PASSWORD=myTrustFilePassword
> 
> 
> 6.Install the KMS
> 
> 
> 7.Modified the ssl configuration item in install.properties for plugins
> 
> 
> **POLICY_MGR_URL = http://policymanager.xasecure.net:6080**
> 
> 
> POLICY_MGR_URL = https://sslrangerserver:6182
> 
> 
> **SSL Client Certificate Information**
> 
> 
> SSL_KEYSTORE_FILE_PATH=/opt/ranger-ssl/rangertomcatverify-keystore.jks
> SSL_KEYSTORE_PASSWORD=myKeyFilePassword
> SSL_TRUSTSTORE_FILE_PATH=/opt/ranger-ssl/rangertomcatverify-truststore.jks
> SSL_TRUSTSTORE_PASSWORD=myTrustFilePassword
> 
> 
> 8.Install plugins
> 
> 
> Thanks,
> 
> Qiang Zhang
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message