ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From pengjianhua <peng.jian...@zte.com.cn>
Subject Re: Review Request 62495: RANGER-1797:Tomcat Security Vulnerability Alert. The version of the tomcat for ranger should upgrade to 7.0.82.
Date Tue, 05 Dec 2017 00:48:27 GMT


> On 十一月 30, 2017, 9:38 a.m., Vishal Suvagia wrote:
> > pom.xml
> > Line 212 (original), 212 (patched)
> > <https://reviews.apache.org/r/62495/diff/2/?file=1850092#file1850092line212>
> >
> >     @PengJianhua,
> >                 I used attached patch and did a build on  my local machine using
mvn clean compile package.
> >     After that, I ran the setup for Ranger-Admin. Then I did a ranger-admin-services
start. I am getting error in catalina.out file as the Tomcat server start itself is failing(PS:
attached log file on apache jira).
> >     
> >     To resolve the issue I had to add a dependency for javax.annotation-api.
> >     
> >     Did the attached patch work for you without adding this dependency ? If yes
Kindly share how did this work for you !
> 
> pengjianhua wrote:
>     Ok. I didn't add this dependency. My compiling is ok. Please delete your local maven
repository. Then compile the ranger project using the following command:
>     sudo mvn clean compile package assembly:assembly install -DskipTests
> 
> Vishal Suvagia wrote:
>     Pengjianhua, the compile goes through fine. But did Ranger-Admin service start using
the compiled packaged bits. Are you able to access Ranger UI ?
> 
> pengjianhua wrote:
>     I can access ranger UI. Your question should have nothing to do with this issue.
If I guess good, you should be more in-depth understanding of how to use ranger, please refer
to the manual to configure your ranger.
>     If you encounter problems during use, you can email me or the community.
> 
> bhavik patel wrote:
>     @Pengjianhua : When I try to start Ranger-Admin and Ranger-KMS services, the service
start itself is failing and also got the same error in catalina.out which Vishal has attached
on jira. 
>     
>     Not sure how it's working for you!!!
> 
> Colm O hEigeartaigh wrote:
>     It also fails for me with errors in catalina.out like:
>     
>     INFO: validateJarFile(....../lib/javax.servlet-api-3.1.0.jar) - jar not loaded. See
Servlet Spec 3.0, section 10.7.2. Offending class: javax/servlet/Servlet.class
> 
> pengjianhua wrote:
>     I compiled the source that I built the patch.Based on the compiling's version I've
been testing and verify whether the issue effected the ranger's function. Maybe our lastest
modifications introduced new issues. I will also compile the lastest source to further verify
the problem you mentioned.
> 
> pengjianhua wrote:
>     I'm sorry. In this patch I lacked the tomcat-annotations-api dependency package.
I had fixed this patch. Thanks!

Hi Colm and bhavik patel, Is there any problem now, if there is no problem, I will merge this
issue.


- pengjianhua


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62495/#review192253
-----------------------------------------------------------


On 十二月 4, 2017, 8:47 a.m., pengjianhua wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62495/
> -----------------------------------------------------------
> 
> (Updated 十二月 4, 2017, 8:47 a.m.)
> 
> 
> Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O hEigeartaigh,
Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan Neethiraj, Velmurugan Periasamy, and
Qiang Zhang.
> 
> 
> Bugs: RANGER-1797
>     https://issues.apache.org/jira/browse/RANGER-1797
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> [Security Vulnerability Alert] Tomcat Information leakage and remote code execution vulnerabilities.
> 
> CVE ID:
> CVE-2017-12615\CVE-2017-12616
> 
> Description
> CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled,
it was possible to upload a JSP file to the server via a specially crafted request. This JSP
could then be requested and any code it contained would be executed by the server.
> CVE-2017-12616:When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80, it
was possible to use a specially crafted request, bypass security constraints, or get the source
code of JSPs for resources served by the VirtualDirContext, thereby cased code disclosure.
> 
> Scope
> CVE-2017-12615:Apache Tomcat 7.0.0 - 7.0.79
> CVE-2017-12616:Apache Tomcat 7.0.0 - 7.0.80
> 
> Solution
> The official release of the Apache Tomcat 7.0.81 version has fixed the two vulnerabilities
and recommends upgrading to the latest version.
> 
> Reference
> https://tomcat.apache.org/security-7.html
> http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81
> https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.82
> 
> 
> Diffs
> -----
> 
>   embeddedwebserver/pom.xml 81699573 
>   pom.xml 589cd6ac 
> 
> 
> Diff: https://reviews.apache.org/r/62495/diff/4/
> 
> 
> Testing
> -------
> 
> 
> Thanks,
> 
> pengjianhua
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message