ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Zsombor Gegesy <zsom...@apache.org>
Subject Re: Review Request 65980: Tomcat Security Vulnerability Alert. The version of the tomcat for ranger should upgrade to 7.0.85.
Date Thu, 22 Mar 2018 10:17:58 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/65980/#review199748
-----------------------------------------------------------


Ship it!




Ship It!

- Zsombor Gegesy


On March 9, 2018, 3:41 a.m., Qiang Zhang wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/65980/
> -----------------------------------------------------------
> 
> (Updated March 9, 2018, 3:41 a.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Don Bosco Durai, Colm O hEigeartaigh, Gautam
Borad, Madhan Neethiraj, pengjianhua, Ramesh Mani, Selvamohan Neethiraj, sam  rome, and Velmurugan
Periasamy.
> 
> 
> Bugs: RANGER-1994
>     https://issues.apache.org/jira/browse/RANGER-1994
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> [SECURITY] CVE-2018-1305 Security constraint annotations applied too late
> 
> CVE-2018-1305 Security constraint annotations applied too late
> 
> Severity: High 
> 
> Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.4 Apache Tomcat 8.5.0 to 8.5.27 Apache
Tomcat 8.0.0.RC1 to 8.0.49 Apache Tomcat 7.0.0 to 7.0.84
> 
> Description: Security constraints defined by annotations of Servlets were only applied
once a Servlet had been loaded. Because security constraints defined in this way apply to
the URL pattern and any URLs below that point, it was possible - depending on the order Servlets
were loaded - for some security constraints not to be applied. This could have exposed resources
to users who were not authorised to access them.
> 
> Mitigation: Users of the affected versions should apply one of the following mitigations.
Upgrade to: - Apache Tomcat 9.0.5 or later - Apache Tomcat 8.5.28 or later - Apache Tomcat
8.0.50 or later - Apache Tomcat 7.0.85 or later
> 
> References:https://lists.apache.org/thread.html/d3354bb0a4eda4acc0a66f3eb24a213fdb75d12c7d16060b23e65781@%3Cannounce.tomcat.apache.org%3E
> 
> 
> Diffs
> -----
> 
>   pom.xml d6f98b4 
> 
> 
> Diff: https://reviews.apache.org/r/65980/diff/1/
> 
> 
> Testing
> -------
> 
> 1. Modify the ssl configuration item in install.properties for the Ranger Admin.
> #SSL config
> db_ssl_enabled=true
> db_ssl_required=true
> db_ssl_verifyServerCertificate=true
> javax_net_ssl_keyStore=/opt/ranger-1.1.0-admin/ssl/keystore
> javax_net_ssl_keyStorePassword=hdp1234$
> javax_net_ssl_trustStore=/opt/ranger-1.1.0-admin/ssl/truststore
> javax_net_ssl_trustStorePassword=hdp1234$
> ...
> #
> # ------- PolicyManager CONFIG ----------------
> #
> policymgr_external_url=https://localhost:6182
> policymgr_http_enabled=false
> policymgr_https_keystore_file=/opt/ranger-1.1.0-admin/ssl/rangertomcatverify.jks
> policymgr_https_keystore_keyalias=rangertomcatverify
> policymgr_https_keystore_password=hdp1234$
> 2. Install the Ranger Admin
> 
> 3. Modify the ssl configuration item in install.properties for the usersync.
> #
> #  POLICY_MGR_URL = http://policymanager.xasecure.net:6080
> #
> POLICY_MGR_URL = https://sslrangerserver:6182
> # SSL Authentication
> AUTH_SSL_ENABLED=false
> AUTH_SSL_KEYSTORE_FILE=/opt/ranger-1.1.0-admin/ssl/keystore
> AUTH_SSL_KEYSTORE_PASSWORD=hdp1234$
> AUTH_SSL_TRUSTSTORE_FILE=/opt/ranger-1.1.0-admin/ssl/truststore
> AUTH_SSL_TRUSTSTORE_PASSWORD=hdp1234$
> 3. Install the Ranger usersync
> 
> 4. Modified the ssl configuration item in install.properties for the kms.
> #
> #  POLICY_MGR_URL = http://policymanager.xasecure.net:6080
> #
> POLICY_MGR_URL = https://sslrangerserver:6182
> db_ssl_enabled=true
> db_ssl_required=true
> db_ssl_verifyServerCertificate=true
> db_ssl_auth_type=2-way
> javax_net_ssl_keyStore=/opt/ranger-1.1.0-admin/ssl/keystore
> javax_net_ssl_keyStorePassword=hdp1234$
> javax_net_ssl_trustStore=/opt/ranger-1.1.0-admin/ssl/truststore
> javax_net_ssl_trustStorePassword=hdp1234$
> #
> # SSL Client Certificate Information
> #
> SSL_KEYSTORE_FILE_PATH=/opt/ranger-1.1.0-admin/ssl/rangertomcatverify-keystore.jks
> SSL_KEYSTORE_PASSWORD=myKeyFilePassword
> SSL_TRUSTSTORE_FILE_PATH=/opt/ranger-1.1.0-admin/ssl/rangertomcatverify-truststore.jks
> SSL_TRUSTSTORE_PASSWORD=changeit
> 5. Install the KMS
> 
> 6. Modified the ssl configuration item in install.properties for plugins
> #
> #  POLICY_MGR_URL = http://policymanager.xasecure.net:6080
> #
> POLICY_MGR_URL = https://sslrangerserver:6182
> #
> # SSL Client Certificate Information
> #
> SSL_KEYSTORE_FILE_PATH=/opt/ranger-1.1.0-admin/ssl/rangertomcatverify-keystore.jks
> SSL_KEYSTORE_PASSWORD=myKeyFilePassword
> SSL_TRUSTSTORE_FILE_PATH=/opt/ranger-1.1.0-admin/ssl/rangertomcatverify-truststore.jks
> SSL_TRUSTSTORE_PASSWORD=changeit
> 7. Install plugins
> 
> 
> Thanks,
> 
> Qiang Zhang
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message