You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

Before reporting any security related JIRAs, please go through Apache's guidance for VULNERABILITY HANDLING

Fixed in Ranger 0.5.3

CVE-2016-2174: Apache Ranger sql injection vulnerability

Severity: Normal

Vendor: The Apache Software Foundation

Versions Affected: All versions of Apache Ranger from 0.5.0 (up to 0.5.3)

Users Affected: All admin users of ranger policy admin tool

Description: SQL Injection vulnerability in Audit > Access tab. When the user clicks an element from policyId row of the list, there is a call made underneath with eventTime parameter which contains the vulnerability. Admin users can send some arbitrary sql code to be executed along with eventTime parameter using /service/plugins/policies/eventTime url.

Fix details: Replaced native queries with JPA named queries

Mitigation: Users should upgrade to 0.5.3 version of Apache Ranger with the fix.

Credit: Thanks to Mateusz Olejarka from SecuRing for reporting this issue.

Fixed in Ranger 0.5.1

CVE-2015-5167: Restrict REST API data access for non-admin users

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: 0.4.0 and 0.5.0 version of Apache Ranger

Users affected: All users of ranger policy admin tool

Description: Data access restrictions via REST API are not consistent with

restrictions in policy admin UI.

Mitigation: Users should upgrade to Ranger 0.5.1 version

CVE-2016-0733: Ranger Admin authentication issue

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: 0.4.0 and 0.5.0 version of Apache Ranger

Users affected: All users of ranger policy admin tool

Description: Malicious Users can gain access to ranger admin UI without

proper authentication

Mitigation: Users should upgrade to Ranger 0.5.1 version

Fixed in Ranger 0.5.0

CVE-2015-0265: Apache Ranger code injection vulnerability

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: 0.4.0 version of Apache Ranger

Users affected: All admin users of ranger policy admin tool

Description: Unauthorized users can send some javascript code to be executed in ranger policy admin tool admin sessions

Fix detail: Added logic to sanitize the user input

Mitigation: Users should upgrade to 0.5.0+ version of Apache Ranger with the fix

Credit: Thanks to Jakub Kałużny from SecuRing for reporting this issue

CVE-2015-0266: Apache Ranger direct url access vulnerability

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: 0.4.0 version of Apache Ranger

Users affected: All users of ranger policy admin tool

Description: Regular users can type in the URL of modules that are accessible only to admin users

Fix detail: Added logic in the backend to verify user access 

Mitigation: Users should upgrade to 0.5.0+ version of Apache Ranger with the fix

Credit: Thanks to Jakub Kałużny from SecuRing for reporting this issue


  • No labels