...
Note |
---|
Before reporting any security related JIRAs, please go through Apache's guidance for VULNERABILITY HANDLING Please see Lock down Apache Ranger for production deployments |
Fixed in Ranger 2.0.0
...
CVE-2019-12397: Apache Ranger cross site scripting issue
Severity: Normal
Vendor: The Apache Software Foundation
Versions Affected: 0.7.0 to 1.2.0 versions of Apache Ranger, prior to 2.0.0
Users affected: All users of ranger policy admin tool
Description: Apache Ranger was found to be vulnerable to a Cross-Site Scripting in policy import functionality.
Fix detail: Added logic to sanitize the user input.
Mitigation: Users should upgrade to 2.0.0 or later version of Apache Ranger with the fix.
Credit: Jan Kaszycki from STM Solutions
Fixed in Ranger 1.2.0
...
CVE-2018-11778: Apache Ranger Stack based buffer overflow
Severity: Critical
Vendor: The Apache Software Foundation
Versions Affected: Apache Ranger versions prior to 1.2.0
Users affected: Unix Authentication Service users
Description: Apache Ranger UnixAuthenticationService should properly handle user input to avoid Stack-based buffer overflow.
Fix detail: UnixAuthenticationService was updated to correctly handle user input.
Mitigation: Users should upgrade to 1.2.0 or later version of Apache Ranger with the fix.
Credit: Alexander Klink.
Fixed in Ranger 0.7.1
...
CVE-2017-7676: Apache Ranger policy evaluation ignores characters after ‘*’ wildcard character
Severity: Critical
Vendor: The Apache Software Foundation
Versions Affected: 0.6.x/0.7.0 versions of Apache Ranger
Users affected: Environments that use Ranger policies with characters after ‘*’ wildcard character – like my*test, test*.txt
Description: Policy resource matcher effectively ignores characters after ‘*’ wildcard character. This can result in affected policies to apply to resources where they should not be applied.
Fix detail: Ranger policy resource matcher was updated to correctly handle wildcard matches.
Mitigation: Users should upgrade to 0.7.1 or later version of Apache Ranger with the fix.
...
CVE-2017-7677: Apache Ranger Hive Authorizer should check for RWX permission when external location is specified
Severity: Critical
Vendor: The Apache Software Foundation
Versions Affected: 0.5.x/0.6.x/0.7.0 versions of Apache Ranger
Users affected: Environments that use external location for hive tables
Description: Without Ranger Hive Authorizer checking RWX permission when external location is specified, there is a possibility that right permissions are not required to create the table.
Fix detail: Ranger Hive Authorizer was updated to correctly handle permission check with external location.
Mitigation: Users should upgrade to 0.7.1 or later version of Apache Ranger with the fix.
Fixed in Ranger 0.6.3
...
CVE-2016-8746: Apache Ranger path matching issue in policy evaluation
...