You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by pengjianhua <pe...@zte.com.cn> on 2017/09/22 08:03:43 UTC
Review Request 62495: RANGER-1797:Tomcat Security Vulnerability
Alert. The version of the tomcat for ranger should upgrade to 7.0.81.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62495/
-----------------------------------------------------------
Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan Neethiraj, Velmurugan Periasamy, and Qiang Zhang.
Bugs: RANGER-1797
https://issues.apache.org/jira/browse/RANGER-1797
Repository: ranger
Description
-------
?Security Vulnerability Alert?Tomcat Information leakage and remote code execution vulnerabilities.
CVE ID:
CVE-2017-12615\CVE-2017-12616
Description
CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled, it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
CVE-2017-12616:When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80, it was possible to use a specially crafted request, bypass security constraints, or get the source code of JSPs for resources served by the VirtualDirContext, thereby cased code disclosure.
Scope
CVE-2017-12615:Apache Tomcat 7.0.0 - 7.0.79
CVE-2017-12616:Apache Tomcat 7.0.0 - 7.0.80
Solution
The official release of the Apache Tomcat 7.0.81 version has fixed the two vulnerabilities and recommends upgrading to the latest version.
Reference
https://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81
Diffs
-----
pom.xml 3958014c
Diff: https://reviews.apache.org/r/62495/diff/1/
Testing
-------
Thanks,
pengjianhua
Re: Review Request 62495: RANGER-1797:Tomcat Security Vulnerability
Alert. The version of the tomcat for ranger should upgrade to 7.0.81.
Posted by pengjianhua <pe...@zte.com.cn>.
> On Oct. 4, 2017, 2:16 p.m., Velmurugan Periasamy wrote:
> > pom.xml
> > Line 212 (original), 212 (patched)
> > <https://reviews.apache.org/r/62495/diff/1/?file=1832777#file1832777line212>
> >
> > See https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.82 for additional CVE fixed, hence it is better to upgrade to 7.0.82 with this effort.
> >
> > +1 to Bhavik's suggestions to cover SSL/Kerberos/Knox tests for Ranger Admin and SSL/Kerberos for Ranger KMS
ok. Thanks.
- pengjianhua
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62495/#review187093
-----------------------------------------------------------
On Sept. 22, 2017, 8:35 a.m., pengjianhua wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62495/
> -----------------------------------------------------------
>
> (Updated Sept. 22, 2017, 8:35 a.m.)
>
>
> Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan Neethiraj, Velmurugan Periasamy, and Qiang Zhang.
>
>
> Bugs: RANGER-1797
> https://issues.apache.org/jira/browse/RANGER-1797
>
>
> Repository: ranger
>
>
> Description
> -------
>
> [Security Vulnerability Alert] Tomcat Information leakage and remote code execution vulnerabilities.
>
> CVE ID:
> CVE-2017-12615\CVE-2017-12616
>
> Description
> CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled, it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
> CVE-2017-12616:When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80, it was possible to use a specially crafted request, bypass security constraints, or get the source code of JSPs for resources served by the VirtualDirContext, thereby cased code disclosure.
>
> Scope
> CVE-2017-12615:Apache Tomcat 7.0.0 - 7.0.79
> CVE-2017-12616:Apache Tomcat 7.0.0 - 7.0.80
>
> Solution
> The official release of the Apache Tomcat 7.0.81 version has fixed the two vulnerabilities and recommends upgrading to the latest version.
>
> Reference
> https://tomcat.apache.org/security-7.html
> http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81
>
>
> Diffs
> -----
>
> pom.xml 3958014c
>
>
> Diff: https://reviews.apache.org/r/62495/diff/1/
>
>
> Testing
> -------
>
>
> Thanks,
>
> pengjianhua
>
>
Re: Review Request 62495: RANGER-1797:Tomcat Security Vulnerability
Alert. The version of the tomcat for ranger should upgrade to 7.0.81.
Posted by Velmurugan Periasamy <vp...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62495/#review187093
-----------------------------------------------------------
pom.xml
Line 212 (original), 212 (patched)
<https://reviews.apache.org/r/62495/#comment264030>
See https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.82 for additional CVE fixed, hence it is better to upgrade to 7.0.82 with this effort.
+1 to Bhavik's suggestions to cover SSL/Kerberos/Knox tests for Ranger Admin and SSL/Kerberos for Ranger KMS
- Velmurugan Periasamy
On Sept. 22, 2017, 8:35 a.m., pengjianhua wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62495/
> -----------------------------------------------------------
>
> (Updated Sept. 22, 2017, 8:35 a.m.)
>
>
> Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan Neethiraj, Velmurugan Periasamy, and Qiang Zhang.
>
>
> Bugs: RANGER-1797
> https://issues.apache.org/jira/browse/RANGER-1797
>
>
> Repository: ranger
>
>
> Description
> -------
>
> [Security Vulnerability Alert] Tomcat Information leakage and remote code execution vulnerabilities.
>
> CVE ID:
> CVE-2017-12615\CVE-2017-12616
>
> Description
> CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled, it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
> CVE-2017-12616:When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80, it was possible to use a specially crafted request, bypass security constraints, or get the source code of JSPs for resources served by the VirtualDirContext, thereby cased code disclosure.
>
> Scope
> CVE-2017-12615:Apache Tomcat 7.0.0 - 7.0.79
> CVE-2017-12616:Apache Tomcat 7.0.0 - 7.0.80
>
> Solution
> The official release of the Apache Tomcat 7.0.81 version has fixed the two vulnerabilities and recommends upgrading to the latest version.
>
> Reference
> https://tomcat.apache.org/security-7.html
> http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81
>
>
> Diffs
> -----
>
> pom.xml 3958014c
>
>
> Diff: https://reviews.apache.org/r/62495/diff/1/
>
>
> Testing
> -------
>
>
> Thanks,
>
> pengjianhua
>
>
Re: Review Request 62495: RANGER-1797:Tomcat Security Vulnerability
Alert. The version of the tomcat for ranger should upgrade to 7.0.82.
Posted by pengjianhua <pe...@zte.com.cn>.
> On 十月 10, 2017, 5:19 a.m., bhavik patel wrote:
> > @pengjianhua : Any updates on this?
>
> pengjianhua wrote:
> I am testing SSL/Kerberos for Ranger KMS.
>
> pengjianhua wrote:
> I tested the patch. The Java 1.8 is required. That is to say users must upgrade jdk to 1.8 above.
>
> pengjianhua wrote:
> I had verified SSL/Kerberos for admin\kms. And I will merge the issue.
>
> Colm O hEigeartaigh wrote:
> Why is Java 1.8 required?
The java version must be equal to or more than 1.8 when we set db_ssl_enabled equal to true.
That is that the java 1.8 required when user only sets db_ssl_enabled equal to true.
- pengjianhua
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62495/#review187494
-----------------------------------------------------------
On 十一月 30, 2017, 1:55 p.m., pengjianhua wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62495/
> -----------------------------------------------------------
>
> (Updated 十一月 30, 2017, 1:55 p.m.)
>
>
> Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan Neethiraj, Velmurugan Periasamy, and Qiang Zhang.
>
>
> Bugs: RANGER-1797
> https://issues.apache.org/jira/browse/RANGER-1797
>
>
> Repository: ranger
>
>
> Description
> -------
>
> [Security Vulnerability Alert] Tomcat Information leakage and remote code execution vulnerabilities.
>
> CVE ID:
> CVE-2017-12615\CVE-2017-12616
>
> Description
> CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled, it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
> CVE-2017-12616:When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80, it was possible to use a specially crafted request, bypass security constraints, or get the source code of JSPs for resources served by the VirtualDirContext, thereby cased code disclosure.
>
> Scope
> CVE-2017-12615:Apache Tomcat 7.0.0 - 7.0.79
> CVE-2017-12616:Apache Tomcat 7.0.0 - 7.0.80
>
> Solution
> The official release of the Apache Tomcat 7.0.81 version has fixed the two vulnerabilities and recommends upgrading to the latest version.
>
> Reference
> https://tomcat.apache.org/security-7.html
> http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81
> https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.82
>
>
> Diffs
> -----
>
> pom.xml 589cd6ac
>
>
> Diff: https://reviews.apache.org/r/62495/diff/3/
>
>
> Testing
> -------
>
>
> Thanks,
>
> pengjianhua
>
>
Re: Review Request 62495: RANGER-1797:Tomcat Security Vulnerability
Alert. The version of the tomcat for ranger should upgrade to 7.0.82.
Posted by Colm O hEigeartaigh <co...@apache.org>.
> On Oct. 10, 2017, 5:19 a.m., bhavik patel wrote:
> > @pengjianhua : Any updates on this?
>
> pengjianhua wrote:
> I am testing SSL/Kerberos for Ranger KMS.
>
> pengjianhua wrote:
> I tested the patch. The Java 1.8 is required. That is to say users must upgrade jdk to 1.8 above.
>
> pengjianhua wrote:
> I had verified SSL/Kerberos for admin\kms. And I will merge the issue.
Why is Java 1.8 required?
- Colm
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62495/#review187494
-----------------------------------------------------------
On Oct. 10, 2017, 7:01 a.m., pengjianhua wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62495/
> -----------------------------------------------------------
>
> (Updated Oct. 10, 2017, 7:01 a.m.)
>
>
> Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan Neethiraj, Velmurugan Periasamy, and Qiang Zhang.
>
>
> Bugs: RANGER-1797
> https://issues.apache.org/jira/browse/RANGER-1797
>
>
> Repository: ranger
>
>
> Description
> -------
>
> [Security Vulnerability Alert] Tomcat Information leakage and remote code execution vulnerabilities.
>
> CVE ID:
> CVE-2017-12615\CVE-2017-12616
>
> Description
> CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled, it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
> CVE-2017-12616:When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80, it was possible to use a specially crafted request, bypass security constraints, or get the source code of JSPs for resources served by the VirtualDirContext, thereby cased code disclosure.
>
> Scope
> CVE-2017-12615:Apache Tomcat 7.0.0 - 7.0.79
> CVE-2017-12616:Apache Tomcat 7.0.0 - 7.0.80
>
> Solution
> The official release of the Apache Tomcat 7.0.81 version has fixed the two vulnerabilities and recommends upgrading to the latest version.
>
> Reference
> https://tomcat.apache.org/security-7.html
> http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81
> https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.82
>
>
> Diffs
> -----
>
> pom.xml 3958014c
>
>
> Diff: https://reviews.apache.org/r/62495/diff/2/
>
>
> Testing
> -------
>
>
> Thanks,
>
> pengjianhua
>
>
Re: Review Request 62495: RANGER-1797:Tomcat Security Vulnerability
Alert. The version of the tomcat for ranger should upgrade to 7.0.81.
Posted by pengjianhua <pe...@zte.com.cn>.
> On Oct. 10, 2017, 5:19 a.m., bhavik patel wrote:
> > @pengjianhua : Any updates on this?
I am testing SSL/Kerberos for Ranger KMS.
- pengjianhua
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62495/#review187494
-----------------------------------------------------------
On Sept. 22, 2017, 8:35 a.m., pengjianhua wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62495/
> -----------------------------------------------------------
>
> (Updated Sept. 22, 2017, 8:35 a.m.)
>
>
> Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan Neethiraj, Velmurugan Periasamy, and Qiang Zhang.
>
>
> Bugs: RANGER-1797
> https://issues.apache.org/jira/browse/RANGER-1797
>
>
> Repository: ranger
>
>
> Description
> -------
>
> [Security Vulnerability Alert] Tomcat Information leakage and remote code execution vulnerabilities.
>
> CVE ID:
> CVE-2017-12615\CVE-2017-12616
>
> Description
> CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled, it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
> CVE-2017-12616:When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80, it was possible to use a specially crafted request, bypass security constraints, or get the source code of JSPs for resources served by the VirtualDirContext, thereby cased code disclosure.
>
> Scope
> CVE-2017-12615:Apache Tomcat 7.0.0 - 7.0.79
> CVE-2017-12616:Apache Tomcat 7.0.0 - 7.0.80
>
> Solution
> The official release of the Apache Tomcat 7.0.81 version has fixed the two vulnerabilities and recommends upgrading to the latest version.
>
> Reference
> https://tomcat.apache.org/security-7.html
> http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81
>
>
> Diffs
> -----
>
> pom.xml 3958014c
>
>
> Diff: https://reviews.apache.org/r/62495/diff/1/
>
>
> Testing
> -------
>
>
> Thanks,
>
> pengjianhua
>
>
Re: Review Request 62495: RANGER-1797:Tomcat Security Vulnerability
Alert. The version of the tomcat for ranger should upgrade to 7.0.82.
Posted by pengjianhua <pe...@zte.com.cn>.
> On 十月 10, 2017, 5:19 a.m., bhavik patel wrote:
> > @pengjianhua : Any updates on this?
>
> pengjianhua wrote:
> I am testing SSL/Kerberos for Ranger KMS.
I tested the patch. The Java 1.8 is required. That is to say users must upgrade jdk to 1.8 above.
- pengjianhua
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62495/#review187494
-----------------------------------------------------------
On 十月 10, 2017, 7:01 a.m., pengjianhua wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62495/
> -----------------------------------------------------------
>
> (Updated 十月 10, 2017, 7:01 a.m.)
>
>
> Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan Neethiraj, Velmurugan Periasamy, and Qiang Zhang.
>
>
> Bugs: RANGER-1797
> https://issues.apache.org/jira/browse/RANGER-1797
>
>
> Repository: ranger
>
>
> Description
> -------
>
> [Security Vulnerability Alert] Tomcat Information leakage and remote code execution vulnerabilities.
>
> CVE ID:
> CVE-2017-12615\CVE-2017-12616
>
> Description
> CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled, it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
> CVE-2017-12616:When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80, it was possible to use a specially crafted request, bypass security constraints, or get the source code of JSPs for resources served by the VirtualDirContext, thereby cased code disclosure.
>
> Scope
> CVE-2017-12615:Apache Tomcat 7.0.0 - 7.0.79
> CVE-2017-12616:Apache Tomcat 7.0.0 - 7.0.80
>
> Solution
> The official release of the Apache Tomcat 7.0.81 version has fixed the two vulnerabilities and recommends upgrading to the latest version.
>
> Reference
> https://tomcat.apache.org/security-7.html
> http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81
> https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.82
>
>
> Diffs
> -----
>
> pom.xml 3958014c
>
>
> Diff: https://reviews.apache.org/r/62495/diff/2/
>
>
> Testing
> -------
>
>
> Thanks,
>
> pengjianhua
>
>
Re: Review Request 62495: RANGER-1797:Tomcat Security Vulnerability
Alert. The version of the tomcat for ranger should upgrade to 7.0.82.
Posted by pengjianhua <pe...@zte.com.cn>.
> On 十月 10, 2017, 5:19 a.m., bhavik patel wrote:
> > @pengjianhua : Any updates on this?
>
> pengjianhua wrote:
> I am testing SSL/Kerberos for Ranger KMS.
>
> pengjianhua wrote:
> I tested the patch. The Java 1.8 is required. That is to say users must upgrade jdk to 1.8 above.
I had verified SSL/Kerberos for admin\kms. And I will merge the issue.
- pengjianhua
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62495/#review187494
-----------------------------------------------------------
On 十月 10, 2017, 7:01 a.m., pengjianhua wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62495/
> -----------------------------------------------------------
>
> (Updated 十月 10, 2017, 7:01 a.m.)
>
>
> Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan Neethiraj, Velmurugan Periasamy, and Qiang Zhang.
>
>
> Bugs: RANGER-1797
> https://issues.apache.org/jira/browse/RANGER-1797
>
>
> Repository: ranger
>
>
> Description
> -------
>
> [Security Vulnerability Alert] Tomcat Information leakage and remote code execution vulnerabilities.
>
> CVE ID:
> CVE-2017-12615\CVE-2017-12616
>
> Description
> CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled, it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
> CVE-2017-12616:When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80, it was possible to use a specially crafted request, bypass security constraints, or get the source code of JSPs for resources served by the VirtualDirContext, thereby cased code disclosure.
>
> Scope
> CVE-2017-12615:Apache Tomcat 7.0.0 - 7.0.79
> CVE-2017-12616:Apache Tomcat 7.0.0 - 7.0.80
>
> Solution
> The official release of the Apache Tomcat 7.0.81 version has fixed the two vulnerabilities and recommends upgrading to the latest version.
>
> Reference
> https://tomcat.apache.org/security-7.html
> http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81
> https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.82
>
>
> Diffs
> -----
>
> pom.xml 3958014c
>
>
> Diff: https://reviews.apache.org/r/62495/diff/2/
>
>
> Testing
> -------
>
>
> Thanks,
>
> pengjianhua
>
>
Re: Review Request 62495: RANGER-1797:Tomcat Security Vulnerability
Alert. The version of the tomcat for ranger should upgrade to 7.0.81.
Posted by bhavik patel <bh...@gmail.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62495/#review187494
-----------------------------------------------------------
@pengjianhua : Any updates on this?
- bhavik patel
On Sept. 22, 2017, 8:35 a.m., pengjianhua wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62495/
> -----------------------------------------------------------
>
> (Updated Sept. 22, 2017, 8:35 a.m.)
>
>
> Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan Neethiraj, Velmurugan Periasamy, and Qiang Zhang.
>
>
> Bugs: RANGER-1797
> https://issues.apache.org/jira/browse/RANGER-1797
>
>
> Repository: ranger
>
>
> Description
> -------
>
> [Security Vulnerability Alert] Tomcat Information leakage and remote code execution vulnerabilities.
>
> CVE ID:
> CVE-2017-12615\CVE-2017-12616
>
> Description
> CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled, it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
> CVE-2017-12616:When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80, it was possible to use a specially crafted request, bypass security constraints, or get the source code of JSPs for resources served by the VirtualDirContext, thereby cased code disclosure.
>
> Scope
> CVE-2017-12615:Apache Tomcat 7.0.0 - 7.0.79
> CVE-2017-12616:Apache Tomcat 7.0.0 - 7.0.80
>
> Solution
> The official release of the Apache Tomcat 7.0.81 version has fixed the two vulnerabilities and recommends upgrading to the latest version.
>
> Reference
> https://tomcat.apache.org/security-7.html
> http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81
>
>
> Diffs
> -----
>
> pom.xml 3958014c
>
>
> Diff: https://reviews.apache.org/r/62495/diff/1/
>
>
> Testing
> -------
>
>
> Thanks,
>
> pengjianhua
>
>
Re: Review Request 62495: RANGER-1797:Tomcat Security Vulnerability
Alert. The version of the tomcat for ranger should upgrade to 7.0.81.
Posted by pengjianhua <pe...@zte.com.cn>.
> On 九月 22, 2017, 9:11 a.m., bhavik patel wrote:
> > pom.xml
> > Line 212 (original), 212 (patched)
> > <https://reviews.apache.org/r/62495/diff/1/?file=1832777#file1832777line212>
> >
> > @pengjianhua : This change needs thorough testing of Ranger Admin as well as Ranger KMS in Simple, Kerberos, SSL, KnoxSSO, KnoxProxy enabled environments.
> >
> > Also need to check all features on jdk 1.7 as well as 1.8. Also, atleast one plugin communication needs to be verified.
> >
> > Can you please confirm: all these cases are tested before commiting this patch.
> >
> > This is based on earlier experience of updating tomcat version.
Ok. We have a complete automated integration test environment for Ranger. I had tested the functions of Ranger using our automated integration test environment. The test results show that there is no problem. I will further test the effect of this issue for ranger using our automated integration test environment in tonight and tomorrow.
- pengjianhua
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62495/#review185959
-----------------------------------------------------------
On 九月 22, 2017, 8:35 a.m., pengjianhua wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62495/
> -----------------------------------------------------------
>
> (Updated 九月 22, 2017, 8:35 a.m.)
>
>
> Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan Neethiraj, Velmurugan Periasamy, and Qiang Zhang.
>
>
> Bugs: RANGER-1797
> https://issues.apache.org/jira/browse/RANGER-1797
>
>
> Repository: ranger
>
>
> Description
> -------
>
> [Security Vulnerability Alert] Tomcat Information leakage and remote code execution vulnerabilities.
>
> CVE ID:
> CVE-2017-12615\CVE-2017-12616
>
> Description
> CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled, it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
> CVE-2017-12616:When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80, it was possible to use a specially crafted request, bypass security constraints, or get the source code of JSPs for resources served by the VirtualDirContext, thereby cased code disclosure.
>
> Scope
> CVE-2017-12615:Apache Tomcat 7.0.0 - 7.0.79
> CVE-2017-12616:Apache Tomcat 7.0.0 - 7.0.80
>
> Solution
> The official release of the Apache Tomcat 7.0.81 version has fixed the two vulnerabilities and recommends upgrading to the latest version.
>
> Reference
> https://tomcat.apache.org/security-7.html
> http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81
>
>
> Diffs
> -----
>
> pom.xml 3958014c
>
>
> Diff: https://reviews.apache.org/r/62495/diff/1/
>
>
> Testing
> -------
>
>
> Thanks,
>
> pengjianhua
>
>
Re: Review Request 62495: RANGER-1797:Tomcat Security Vulnerability
Alert. The version of the tomcat for ranger should upgrade to 7.0.81.
Posted by pengjianhua <pe...@zte.com.cn>.
> On 九月 22, 2017, 9:11 a.m., bhavik patel wrote:
> > pom.xml
> > Line 212 (original), 212 (patched)
> > <https://reviews.apache.org/r/62495/diff/1/?file=1832777#file1832777line212>
> >
> > @pengjianhua : This change needs thorough testing of Ranger Admin as well as Ranger KMS in Simple, Kerberos, SSL, KnoxSSO, KnoxProxy enabled environments.
> >
> > Also need to check all features on jdk 1.7 as well as 1.8. Also, atleast one plugin communication needs to be verified.
> >
> > Can you please confirm: all these cases are tested before commiting this patch.
> >
> > This is based on earlier experience of updating tomcat version.
>
> pengjianhua wrote:
> Ok. We have a complete automated integration test environment for Ranger. I had tested the functions of Ranger using our automated integration test environment. The test results show that there is no problem. I will further test the effect of this issue for ranger using our automated integration test environment in tonight and tomorrow.
>
> Qiang Zhang wrote:
> @bhavik patel: Do you have further suggestions? If not, I'll fix the issue.
>
> bhavik patel wrote:
> @Qiang Zhang: If Peng Jianhua can confirm that there integration test covered all the above scenario which i mentioned above(especially on SSL environment).
@bhavik patel: Thanks for your reminder, I lack this case for my automated integration test environment.?I will add this case to my automated integration test environment and test it again. Thanks.
- pengjianhua
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62495/#review185959
-----------------------------------------------------------
On 九月 22, 2017, 8:35 a.m., pengjianhua wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62495/
> -----------------------------------------------------------
>
> (Updated 九月 22, 2017, 8:35 a.m.)
>
>
> Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan Neethiraj, Velmurugan Periasamy, and Qiang Zhang.
>
>
> Bugs: RANGER-1797
> https://issues.apache.org/jira/browse/RANGER-1797
>
>
> Repository: ranger
>
>
> Description
> -------
>
> [Security Vulnerability Alert] Tomcat Information leakage and remote code execution vulnerabilities.
>
> CVE ID:
> CVE-2017-12615\CVE-2017-12616
>
> Description
> CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled, it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
> CVE-2017-12616:When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80, it was possible to use a specially crafted request, bypass security constraints, or get the source code of JSPs for resources served by the VirtualDirContext, thereby cased code disclosure.
>
> Scope
> CVE-2017-12615:Apache Tomcat 7.0.0 - 7.0.79
> CVE-2017-12616:Apache Tomcat 7.0.0 - 7.0.80
>
> Solution
> The official release of the Apache Tomcat 7.0.81 version has fixed the two vulnerabilities and recommends upgrading to the latest version.
>
> Reference
> https://tomcat.apache.org/security-7.html
> http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81
>
>
> Diffs
> -----
>
> pom.xml 3958014c
>
>
> Diff: https://reviews.apache.org/r/62495/diff/1/
>
>
> Testing
> -------
>
>
> Thanks,
>
> pengjianhua
>
>
Re: Review Request 62495: RANGER-1797:Tomcat Security Vulnerability
Alert. The version of the tomcat for ranger should upgrade to 7.0.81.
Posted by bhavik patel <bh...@gmail.com>.
> On Sept. 22, 2017, 9:11 a.m., bhavik patel wrote:
> > pom.xml
> > Line 212 (original), 212 (patched)
> > <https://reviews.apache.org/r/62495/diff/1/?file=1832777#file1832777line212>
> >
> > @pengjianhua : This change needs thorough testing of Ranger Admin as well as Ranger KMS in Simple, Kerberos, SSL, KnoxSSO, KnoxProxy enabled environments.
> >
> > Also need to check all features on jdk 1.7 as well as 1.8. Also, atleast one plugin communication needs to be verified.
> >
> > Can you please confirm: all these cases are tested before commiting this patch.
> >
> > This is based on earlier experience of updating tomcat version.
>
> pengjianhua wrote:
> Ok. We have a complete automated integration test environment for Ranger. I had tested the functions of Ranger using our automated integration test environment. The test results show that there is no problem. I will further test the effect of this issue for ranger using our automated integration test environment in tonight and tomorrow.
>
> Qiang Zhang wrote:
> @bhavik patel: Do you have further suggestions? If not, I'll fix the issue.
@Qiang Zhang: If Peng Jianhua can confirm that there integration test covered all the above scenario which i mentioned above(especially on SSL environment).
- bhavik
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62495/#review185959
-----------------------------------------------------------
On Sept. 22, 2017, 8:35 a.m., pengjianhua wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62495/
> -----------------------------------------------------------
>
> (Updated Sept. 22, 2017, 8:35 a.m.)
>
>
> Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan Neethiraj, Velmurugan Periasamy, and Qiang Zhang.
>
>
> Bugs: RANGER-1797
> https://issues.apache.org/jira/browse/RANGER-1797
>
>
> Repository: ranger
>
>
> Description
> -------
>
> [Security Vulnerability Alert] Tomcat Information leakage and remote code execution vulnerabilities.
>
> CVE ID:
> CVE-2017-12615\CVE-2017-12616
>
> Description
> CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled, it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
> CVE-2017-12616:When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80, it was possible to use a specially crafted request, bypass security constraints, or get the source code of JSPs for resources served by the VirtualDirContext, thereby cased code disclosure.
>
> Scope
> CVE-2017-12615:Apache Tomcat 7.0.0 - 7.0.79
> CVE-2017-12616:Apache Tomcat 7.0.0 - 7.0.80
>
> Solution
> The official release of the Apache Tomcat 7.0.81 version has fixed the two vulnerabilities and recommends upgrading to the latest version.
>
> Reference
> https://tomcat.apache.org/security-7.html
> http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81
>
>
> Diffs
> -----
>
> pom.xml 3958014c
>
>
> Diff: https://reviews.apache.org/r/62495/diff/1/
>
>
> Testing
> -------
>
>
> Thanks,
>
> pengjianhua
>
>
Re: Review Request 62495: RANGER-1797:Tomcat Security Vulnerability
Alert. The version of the tomcat for ranger should upgrade to 7.0.81.
Posted by Qiang Zhang <zh...@zte.com.cn>.
> On 九月 22, 2017, 9:11 a.m., bhavik patel wrote:
> > pom.xml
> > Line 212 (original), 212 (patched)
> > <https://reviews.apache.org/r/62495/diff/1/?file=1832777#file1832777line212>
> >
> > @pengjianhua : This change needs thorough testing of Ranger Admin as well as Ranger KMS in Simple, Kerberos, SSL, KnoxSSO, KnoxProxy enabled environments.
> >
> > Also need to check all features on jdk 1.7 as well as 1.8. Also, atleast one plugin communication needs to be verified.
> >
> > Can you please confirm: all these cases are tested before commiting this patch.
> >
> > This is based on earlier experience of updating tomcat version.
>
> pengjianhua wrote:
> Ok. We have a complete automated integration test environment for Ranger. I had tested the functions of Ranger using our automated integration test environment. The test results show that there is no problem. I will further test the effect of this issue for ranger using our automated integration test environment in tonight and tomorrow.
@bhavik patel: Do you have further suggestions? If not, I'll fix the issue.
- Qiang
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62495/#review185959
-----------------------------------------------------------
On 九月 22, 2017, 8:35 a.m., pengjianhua wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62495/
> -----------------------------------------------------------
>
> (Updated 九月 22, 2017, 8:35 a.m.)
>
>
> Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan Neethiraj, Velmurugan Periasamy, and Qiang Zhang.
>
>
> Bugs: RANGER-1797
> https://issues.apache.org/jira/browse/RANGER-1797
>
>
> Repository: ranger
>
>
> Description
> -------
>
> [Security Vulnerability Alert] Tomcat Information leakage and remote code execution vulnerabilities.
>
> CVE ID:
> CVE-2017-12615\CVE-2017-12616
>
> Description
> CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled, it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
> CVE-2017-12616:When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80, it was possible to use a specially crafted request, bypass security constraints, or get the source code of JSPs for resources served by the VirtualDirContext, thereby cased code disclosure.
>
> Scope
> CVE-2017-12615:Apache Tomcat 7.0.0 - 7.0.79
> CVE-2017-12616:Apache Tomcat 7.0.0 - 7.0.80
>
> Solution
> The official release of the Apache Tomcat 7.0.81 version has fixed the two vulnerabilities and recommends upgrading to the latest version.
>
> Reference
> https://tomcat.apache.org/security-7.html
> http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81
>
>
> Diffs
> -----
>
> pom.xml 3958014c
>
>
> Diff: https://reviews.apache.org/r/62495/diff/1/
>
>
> Testing
> -------
>
>
> Thanks,
>
> pengjianhua
>
>
Re: Review Request 62495: RANGER-1797:Tomcat Security Vulnerability
Alert. The version of the tomcat for ranger should upgrade to 7.0.81.
Posted by bhavik patel <bh...@gmail.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62495/#review185959
-----------------------------------------------------------
pom.xml
Line 212 (original), 212 (patched)
<https://reviews.apache.org/r/62495/#comment262304>
@pengjianhua : This change needs thorough testing of Ranger Admin as well as Ranger KMS in Simple, Kerberos, SSL, KnoxSSO, KnoxProxy enabled environments.
Also need to check all features on jdk 1.7 as well as 1.8. Also, atleast one plugin communication needs to be verified.
Can you please confirm: all these cases are tested before commiting this patch.
This is based on earlier experience of updating tomcat version.
- bhavik patel
On Sept. 22, 2017, 8:35 a.m., pengjianhua wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62495/
> -----------------------------------------------------------
>
> (Updated Sept. 22, 2017, 8:35 a.m.)
>
>
> Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan Neethiraj, Velmurugan Periasamy, and Qiang Zhang.
>
>
> Bugs: RANGER-1797
> https://issues.apache.org/jira/browse/RANGER-1797
>
>
> Repository: ranger
>
>
> Description
> -------
>
> [Security Vulnerability Alert] Tomcat Information leakage and remote code execution vulnerabilities.
>
> CVE ID:
> CVE-2017-12615\CVE-2017-12616
>
> Description
> CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled, it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
> CVE-2017-12616:When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80, it was possible to use a specially crafted request, bypass security constraints, or get the source code of JSPs for resources served by the VirtualDirContext, thereby cased code disclosure.
>
> Scope
> CVE-2017-12615:Apache Tomcat 7.0.0 - 7.0.79
> CVE-2017-12616:Apache Tomcat 7.0.0 - 7.0.80
>
> Solution
> The official release of the Apache Tomcat 7.0.81 version has fixed the two vulnerabilities and recommends upgrading to the latest version.
>
> Reference
> https://tomcat.apache.org/security-7.html
> http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81
>
>
> Diffs
> -----
>
> pom.xml 3958014c
>
>
> Diff: https://reviews.apache.org/r/62495/diff/1/
>
>
> Testing
> -------
>
>
> Thanks,
>
> pengjianhua
>
>
Re: Review Request 62495: RANGER-1797:Tomcat Security Vulnerability
Alert. The version of the tomcat for ranger should upgrade to 7.0.81.
Posted by Qiang Zhang <zh...@zte.com.cn>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62495/#review185957
-----------------------------------------------------------
Ship it!
Ship It!
- Qiang Zhang
On 九月 22, 2017, 8:35 a.m., pengjianhua wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62495/
> -----------------------------------------------------------
>
> (Updated 九月 22, 2017, 8:35 a.m.)
>
>
> Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan Neethiraj, Velmurugan Periasamy, and Qiang Zhang.
>
>
> Bugs: RANGER-1797
> https://issues.apache.org/jira/browse/RANGER-1797
>
>
> Repository: ranger
>
>
> Description
> -------
>
> [Security Vulnerability Alert] Tomcat Information leakage and remote code execution vulnerabilities.
>
> CVE ID:
> CVE-2017-12615\CVE-2017-12616
>
> Description
> CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled, it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
> CVE-2017-12616:When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80, it was possible to use a specially crafted request, bypass security constraints, or get the source code of JSPs for resources served by the VirtualDirContext, thereby cased code disclosure.
>
> Scope
> CVE-2017-12615:Apache Tomcat 7.0.0 - 7.0.79
> CVE-2017-12616:Apache Tomcat 7.0.0 - 7.0.80
>
> Solution
> The official release of the Apache Tomcat 7.0.81 version has fixed the two vulnerabilities and recommends upgrading to the latest version.
>
> Reference
> https://tomcat.apache.org/security-7.html
> http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81
>
>
> Diffs
> -----
>
> pom.xml 3958014c
>
>
> Diff: https://reviews.apache.org/r/62495/diff/1/
>
>
> Testing
> -------
>
>
> Thanks,
>
> pengjianhua
>
>
Re: Review Request 62495: RANGER-1797:Tomcat Security Vulnerability
Alert. The version of the tomcat for ranger should upgrade to 7.0.82.
Posted by pengjianhua <pe...@zte.com.cn>.
> On 十一月 30, 2017, 9:38 a.m., Vishal Suvagia wrote:
> > pom.xml
> > Line 212 (original), 212 (patched)
> > <https://reviews.apache.org/r/62495/diff/2/?file=1850092#file1850092line212>
> >
> > @PengJianhua,
> > I used attached patch and did a build on my local machine using mvn clean compile package.
> > After that, I ran the setup for Ranger-Admin. Then I did a ranger-admin-services start. I am getting error in catalina.out file as the Tomcat server start itself is failing(PS: attached log file on apache jira).
> >
> > To resolve the issue I had to add a dependency for javax.annotation-api.
> >
> > Did the attached patch work for you without adding this dependency ? If yes Kindly share how did this work for you !
>
> pengjianhua wrote:
> Ok. I didn't add this dependency. My compiling is ok. Please delete your local maven repository. Then compile the ranger project using the following command:
> sudo mvn clean compile package assembly:assembly install -DskipTests
>
> Vishal Suvagia wrote:
> Pengjianhua, the compile goes through fine. But did Ranger-Admin service start using the compiled packaged bits. Are you able to access Ranger UI ?
>
> pengjianhua wrote:
> I can access ranger UI. Your question should have nothing to do with this issue. If I guess good, you should be more in-depth understanding of how to use ranger, please refer to the manual to configure your ranger.
> If you encounter problems during use, you can email me or the community.
>
> bhavik patel wrote:
> @Pengjianhua : When I try to start Ranger-Admin and Ranger-KMS services, the service start itself is failing and also got the same error in catalina.out which Vishal has attached on jira.
>
> Not sure how it's working for you!!!
>
> Colm O hEigeartaigh wrote:
> It also fails for me with errors in catalina.out like:
>
> INFO: validateJarFile(....../lib/javax.servlet-api-3.1.0.jar) - jar not loaded. See Servlet Spec 3.0, section 10.7.2. Offending class: javax/servlet/Servlet.class
>
> pengjianhua wrote:
> I compiled the source that I built the patch.Based on the compiling's version I've been testing and verify whether the issue effected the ranger's function. Maybe our lastest modifications introduced new issues. I will also compile the lastest source to further verify the problem you mentioned.
>
> pengjianhua wrote:
> I'm sorry. In this patch I lacked the tomcat-annotations-api dependency package. I had fixed this patch. Thanks!
>
> pengjianhua wrote:
> Hi Colm and bhavik patel, Is there any problem now, if there is no problem, I will merge this issue.
>
> Vishal Suvagia wrote:
> Hi Pengjianhua,
> The versions for org.apache.tomcat -> annotations-api present here -> https://mvnrepository.com/artifact/org.apache.tomcat/annotations-api do not have a specific build for 7.0.82 (last stable build version is 6.0.53).
> Additionally recent fixes from tomcat devs suggest that the tomcat.annotations-api has been removed from tomcat-embed-core shipments in favour of javax.annotations-api refer -> https://bz.apache.org/bugzilla/show_bug.cgi?id=61439.
>
> pengjianhua wrote:
> Ok. Thanks. How do you think we should deal with this issue? Should we upgrade directly to tomcat7.0.83 or is there a better way to handle this issue?
>
> Vishal Suvagia wrote:
> Pengjianhua, Sadly looks like there is no tomcat-7.0.83 build out yet. From what I have tried we will need to add a new dependency for javax.annotation-api -> https://mvnrepository.com/artifact/javax.annotation/javax.annotation-api.
Hi Vishal Suvagia, please reference to http://mvnrepository.com/artifact/org.apache.tomcat.embed/tomcat-embed-core/7.0.82 and http://mvnrepository.com/artifact/org.apache.tomcat/tomcat-annotations-api/7.0.82.
- pengjianhua
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62495/#review192253
-----------------------------------------------------------
On 十二月 5, 2017, 2:59 a.m., pengjianhua wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62495/
> -----------------------------------------------------------
>
> (Updated 十二月 5, 2017, 2:59 a.m.)
>
>
> Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan Neethiraj, Velmurugan Periasamy, and Qiang Zhang.
>
>
> Bugs: RANGER-1797
> https://issues.apache.org/jira/browse/RANGER-1797
>
>
> Repository: ranger
>
>
> Description
> -------
>
> [Security Vulnerability Alert] Tomcat Information leakage and remote code execution vulnerabilities.
>
> CVE ID:
> CVE-2017-12615\CVE-2017-12616
>
> Description
> CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled, it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
> CVE-2017-12616:When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80, it was possible to use a specially crafted request, bypass security constraints, or get the source code of JSPs for resources served by the VirtualDirContext, thereby cased code disclosure.
>
> Scope
> CVE-2017-12615:Apache Tomcat 7.0.0 - 7.0.79
> CVE-2017-12616:Apache Tomcat 7.0.0 - 7.0.80
>
> Solution
> The official release of the Apache Tomcat 7.0.81 version has fixed the two vulnerabilities and recommends upgrading to the latest version.
>
> Reference
> https://tomcat.apache.org/security-7.html
> http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81
> https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.82
>
>
> Diffs
> -----
>
> embeddedwebserver/pom.xml 81699573
> pom.xml 589cd6ac
> src/main/assembly/admin-web.xml aa37426f
> src/main/assembly/kms.xml 7c40ce4e
>
>
> Diff: https://reviews.apache.org/r/62495/diff/5/
>
>
> Testing
> -------
>
>
> Thanks,
>
> pengjianhua
>
>
Re: Review Request 62495: RANGER-1797:Tomcat Security Vulnerability
Alert. The version of the tomcat for ranger should upgrade to 7.0.82.
Posted by Colm O hEigeartaigh <co...@apache.org>.
> On Nov. 30, 2017, 9:38 a.m., Vishal Suvagia wrote:
> > pom.xml
> > Line 212 (original), 212 (patched)
> > <https://reviews.apache.org/r/62495/diff/2/?file=1850092#file1850092line212>
> >
> > @PengJianhua,
> > I used attached patch and did a build on my local machine using mvn clean compile package.
> > After that, I ran the setup for Ranger-Admin. Then I did a ranger-admin-services start. I am getting error in catalina.out file as the Tomcat server start itself is failing(PS: attached log file on apache jira).
> >
> > To resolve the issue I had to add a dependency for javax.annotation-api.
> >
> > Did the attached patch work for you without adding this dependency ? If yes Kindly share how did this work for you !
>
> pengjianhua wrote:
> Ok. I didn't add this dependency. My compiling is ok. Please delete your local maven repository. Then compile the ranger project using the following command:
> sudo mvn clean compile package assembly:assembly install -DskipTests
>
> Vishal Suvagia wrote:
> Pengjianhua, the compile goes through fine. But did Ranger-Admin service start using the compiled packaged bits. Are you able to access Ranger UI ?
>
> pengjianhua wrote:
> I can access ranger UI. Your question should have nothing to do with this issue. If I guess good, you should be more in-depth understanding of how to use ranger, please refer to the manual to configure your ranger.
> If you encounter problems during use, you can email me or the community.
>
> bhavik patel wrote:
> @Pengjianhua : When I try to start Ranger-Admin and Ranger-KMS services, the service start itself is failing and also got the same error in catalina.out which Vishal has attached on jira.
>
> Not sure how it's working for you!!!
It also fails for me with errors in catalina.out like:
INFO: validateJarFile(....../lib/javax.servlet-api-3.1.0.jar) - jar not loaded. See Servlet Spec 3.0, section 10.7.2. Offending class: javax/servlet/Servlet.class
- Colm
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62495/#review192253
-----------------------------------------------------------
On Nov. 30, 2017, 1:55 p.m., pengjianhua wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62495/
> -----------------------------------------------------------
>
> (Updated Nov. 30, 2017, 1:55 p.m.)
>
>
> Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan Neethiraj, Velmurugan Periasamy, and Qiang Zhang.
>
>
> Bugs: RANGER-1797
> https://issues.apache.org/jira/browse/RANGER-1797
>
>
> Repository: ranger
>
>
> Description
> -------
>
> [Security Vulnerability Alert] Tomcat Information leakage and remote code execution vulnerabilities.
>
> CVE ID:
> CVE-2017-12615\CVE-2017-12616
>
> Description
> CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled, it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
> CVE-2017-12616:When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80, it was possible to use a specially crafted request, bypass security constraints, or get the source code of JSPs for resources served by the VirtualDirContext, thereby cased code disclosure.
>
> Scope
> CVE-2017-12615:Apache Tomcat 7.0.0 - 7.0.79
> CVE-2017-12616:Apache Tomcat 7.0.0 - 7.0.80
>
> Solution
> The official release of the Apache Tomcat 7.0.81 version has fixed the two vulnerabilities and recommends upgrading to the latest version.
>
> Reference
> https://tomcat.apache.org/security-7.html
> http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81
> https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.82
>
>
> Diffs
> -----
>
> pom.xml 589cd6ac
>
>
> Diff: https://reviews.apache.org/r/62495/diff/3/
>
>
> Testing
> -------
>
>
> Thanks,
>
> pengjianhua
>
>
Re: Review Request 62495: RANGER-1797:Tomcat Security Vulnerability
Alert. The version of the tomcat for ranger should upgrade to 7.0.82.
Posted by pengjianhua <pe...@zte.com.cn>.
> On 十一月 30, 2017, 9:38 a.m., Vishal Suvagia wrote:
> > pom.xml
> > Line 212 (original), 212 (patched)
> > <https://reviews.apache.org/r/62495/diff/2/?file=1850092#file1850092line212>
> >
> > @PengJianhua,
> > I used attached patch and did a build on my local machine using mvn clean compile package.
> > After that, I ran the setup for Ranger-Admin. Then I did a ranger-admin-services start. I am getting error in catalina.out file as the Tomcat server start itself is failing(PS: attached log file on apache jira).
> >
> > To resolve the issue I had to add a dependency for javax.annotation-api.
> >
> > Did the attached patch work for you without adding this dependency ? If yes Kindly share how did this work for you !
>
> pengjianhua wrote:
> Ok. I didn't add this dependency. My compiling is ok. Please delete your local maven repository. Then compile the ranger project using the following command:
> sudo mvn clean compile package assembly:assembly install -DskipTests
>
> Vishal Suvagia wrote:
> Pengjianhua, the compile goes through fine. But did Ranger-Admin service start using the compiled packaged bits. Are you able to access Ranger UI ?
>
> pengjianhua wrote:
> I can access ranger UI. Your question should have nothing to do with this issue. If I guess good, you should be more in-depth understanding of how to use ranger, please refer to the manual to configure your ranger.
> If you encounter problems during use, you can email me or the community.
>
> bhavik patel wrote:
> @Pengjianhua : When I try to start Ranger-Admin and Ranger-KMS services, the service start itself is failing and also got the same error in catalina.out which Vishal has attached on jira.
>
> Not sure how it's working for you!!!
>
> Colm O hEigeartaigh wrote:
> It also fails for me with errors in catalina.out like:
>
> INFO: validateJarFile(....../lib/javax.servlet-api-3.1.0.jar) - jar not loaded. See Servlet Spec 3.0, section 10.7.2. Offending class: javax/servlet/Servlet.class
I compiled the source that I built the patch.Based on the compiling's version I've been testing and verify whether the issue effected the ranger's function. Maybe our lastest modifications introduced new issues. I will also compile the lastest source to further verify the problem you mentioned.
- pengjianhua
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62495/#review192253
-----------------------------------------------------------
On 十一月 30, 2017, 1:55 p.m., pengjianhua wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62495/
> -----------------------------------------------------------
>
> (Updated 十一月 30, 2017, 1:55 p.m.)
>
>
> Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan Neethiraj, Velmurugan Periasamy, and Qiang Zhang.
>
>
> Bugs: RANGER-1797
> https://issues.apache.org/jira/browse/RANGER-1797
>
>
> Repository: ranger
>
>
> Description
> -------
>
> [Security Vulnerability Alert] Tomcat Information leakage and remote code execution vulnerabilities.
>
> CVE ID:
> CVE-2017-12615\CVE-2017-12616
>
> Description
> CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled, it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
> CVE-2017-12616:When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80, it was possible to use a specially crafted request, bypass security constraints, or get the source code of JSPs for resources served by the VirtualDirContext, thereby cased code disclosure.
>
> Scope
> CVE-2017-12615:Apache Tomcat 7.0.0 - 7.0.79
> CVE-2017-12616:Apache Tomcat 7.0.0 - 7.0.80
>
> Solution
> The official release of the Apache Tomcat 7.0.81 version has fixed the two vulnerabilities and recommends upgrading to the latest version.
>
> Reference
> https://tomcat.apache.org/security-7.html
> http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81
> https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.82
>
>
> Diffs
> -----
>
> pom.xml 589cd6ac
>
>
> Diff: https://reviews.apache.org/r/62495/diff/3/
>
>
> Testing
> -------
>
>
> Thanks,
>
> pengjianhua
>
>
Re: Review Request 62495: RANGER-1797:Tomcat Security Vulnerability
Alert. The version of the tomcat for ranger should upgrade to 7.0.82.
Posted by Vishal Suvagia via Review Board <no...@reviews.apache.org>.
> On Nov. 30, 2017, 9:38 a.m., Vishal Suvagia wrote:
> > pom.xml
> > Line 212 (original), 212 (patched)
> > <https://reviews.apache.org/r/62495/diff/2/?file=1850092#file1850092line212>
> >
> > @PengJianhua,
> > I used attached patch and did a build on my local machine using mvn clean compile package.
> > After that, I ran the setup for Ranger-Admin. Then I did a ranger-admin-services start. I am getting error in catalina.out file as the Tomcat server start itself is failing(PS: attached log file on apache jira).
> >
> > To resolve the issue I had to add a dependency for javax.annotation-api.
> >
> > Did the attached patch work for you without adding this dependency ? If yes Kindly share how did this work for you !
>
> pengjianhua wrote:
> Ok. I didn't add this dependency. My compiling is ok. Please delete your local maven repository. Then compile the ranger project using the following command:
> sudo mvn clean compile package assembly:assembly install -DskipTests
>
> Vishal Suvagia wrote:
> Pengjianhua, the compile goes through fine. But did Ranger-Admin service start using the compiled packaged bits. Are you able to access Ranger UI ?
>
> pengjianhua wrote:
> I can access ranger UI. Your question should have nothing to do with this issue. If I guess good, you should be more in-depth understanding of how to use ranger, please refer to the manual to configure your ranger.
> If you encounter problems during use, you can email me or the community.
>
> bhavik patel wrote:
> @Pengjianhua : When I try to start Ranger-Admin and Ranger-KMS services, the service start itself is failing and also got the same error in catalina.out which Vishal has attached on jira.
>
> Not sure how it's working for you!!!
>
> Colm O hEigeartaigh wrote:
> It also fails for me with errors in catalina.out like:
>
> INFO: validateJarFile(....../lib/javax.servlet-api-3.1.0.jar) - jar not loaded. See Servlet Spec 3.0, section 10.7.2. Offending class: javax/servlet/Servlet.class
>
> pengjianhua wrote:
> I compiled the source that I built the patch.Based on the compiling's version I've been testing and verify whether the issue effected the ranger's function. Maybe our lastest modifications introduced new issues. I will also compile the lastest source to further verify the problem you mentioned.
>
> pengjianhua wrote:
> I'm sorry. In this patch I lacked the tomcat-annotations-api dependency package. I had fixed this patch. Thanks!
>
> pengjianhua wrote:
> Hi Colm and bhavik patel, Is there any problem now, if there is no problem, I will merge this issue.
>
> Vishal Suvagia wrote:
> Hi Pengjianhua,
> The versions for org.apache.tomcat -> annotations-api present here -> https://mvnrepository.com/artifact/org.apache.tomcat/annotations-api do not have a specific build for 7.0.82 (last stable build version is 6.0.53).
> Additionally recent fixes from tomcat devs suggest that the tomcat.annotations-api has been removed from tomcat-embed-core shipments in favour of javax.annotations-api refer -> https://bz.apache.org/bugzilla/show_bug.cgi?id=61439.
>
> pengjianhua wrote:
> Ok. Thanks. How do you think we should deal with this issue? Should we upgrade directly to tomcat7.0.83 or is there a better way to handle this issue?
>
> Vishal Suvagia wrote:
> Pengjianhua, Sadly looks like there is no tomcat-7.0.83 build out yet. From what I have tried we will need to add a new dependency for javax.annotation-api -> https://mvnrepository.com/artifact/javax.annotation/javax.annotation-api.
>
> pengjianhua wrote:
> Hi Vishal Suvagia, please reference to http://mvnrepository.com/artifact/org.apache.tomcat.embed/tomcat-embed-core/7.0.82 and http://mvnrepository.com/artifact/org.apache.tomcat/tomcat-annotations-api/7.0.82.
Pengjianhua, my bad, looks like I missed on the tomcat-annotations-api, will drop the issue.
- Vishal
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62495/#review192253
-----------------------------------------------------------
On Dec. 5, 2017, 2:59 a.m., pengjianhua wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62495/
> -----------------------------------------------------------
>
> (Updated Dec. 5, 2017, 2:59 a.m.)
>
>
> Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan Neethiraj, Velmurugan Periasamy, and Qiang Zhang.
>
>
> Bugs: RANGER-1797
> https://issues.apache.org/jira/browse/RANGER-1797
>
>
> Repository: ranger
>
>
> Description
> -------
>
> [Security Vulnerability Alert] Tomcat Information leakage and remote code execution vulnerabilities.
>
> CVE ID:
> CVE-2017-12615\CVE-2017-12616
>
> Description
> CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled, it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
> CVE-2017-12616:When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80, it was possible to use a specially crafted request, bypass security constraints, or get the source code of JSPs for resources served by the VirtualDirContext, thereby cased code disclosure.
>
> Scope
> CVE-2017-12615:Apache Tomcat 7.0.0 - 7.0.79
> CVE-2017-12616:Apache Tomcat 7.0.0 - 7.0.80
>
> Solution
> The official release of the Apache Tomcat 7.0.81 version has fixed the two vulnerabilities and recommends upgrading to the latest version.
>
> Reference
> https://tomcat.apache.org/security-7.html
> http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81
> https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.82
>
>
> Diffs
> -----
>
> embeddedwebserver/pom.xml 81699573
> pom.xml 589cd6ac
> src/main/assembly/admin-web.xml aa37426f
> src/main/assembly/kms.xml 7c40ce4e
>
>
> Diff: https://reviews.apache.org/r/62495/diff/5/
>
>
> Testing
> -------
>
>
> Thanks,
>
> pengjianhua
>
>
Re: Review Request 62495: RANGER-1797:Tomcat Security Vulnerability
Alert. The version of the tomcat for ranger should upgrade to 7.0.82.
Posted by Vishal Suvagia via Review Board <no...@reviews.apache.org>.
> On Nov. 30, 2017, 9:38 a.m., Vishal Suvagia wrote:
> > pom.xml
> > Line 212 (original), 212 (patched)
> > <https://reviews.apache.org/r/62495/diff/2/?file=1850092#file1850092line212>
> >
> > @PengJianhua,
> > I used attached patch and did a build on my local machine using mvn clean compile package.
> > After that, I ran the setup for Ranger-Admin. Then I did a ranger-admin-services start. I am getting error in catalina.out file as the Tomcat server start itself is failing(PS: attached log file on apache jira).
> >
> > To resolve the issue I had to add a dependency for javax.annotation-api.
> >
> > Did the attached patch work for you without adding this dependency ? If yes Kindly share how did this work for you !
>
> pengjianhua wrote:
> Ok. I didn't add this dependency. My compiling is ok. Please delete your local maven repository. Then compile the ranger project using the following command:
> sudo mvn clean compile package assembly:assembly install -DskipTests
>
> Vishal Suvagia wrote:
> Pengjianhua, the compile goes through fine. But did Ranger-Admin service start using the compiled packaged bits. Are you able to access Ranger UI ?
>
> pengjianhua wrote:
> I can access ranger UI. Your question should have nothing to do with this issue. If I guess good, you should be more in-depth understanding of how to use ranger, please refer to the manual to configure your ranger.
> If you encounter problems during use, you can email me or the community.
>
> bhavik patel wrote:
> @Pengjianhua : When I try to start Ranger-Admin and Ranger-KMS services, the service start itself is failing and also got the same error in catalina.out which Vishal has attached on jira.
>
> Not sure how it's working for you!!!
>
> Colm O hEigeartaigh wrote:
> It also fails for me with errors in catalina.out like:
>
> INFO: validateJarFile(....../lib/javax.servlet-api-3.1.0.jar) - jar not loaded. See Servlet Spec 3.0, section 10.7.2. Offending class: javax/servlet/Servlet.class
>
> pengjianhua wrote:
> I compiled the source that I built the patch.Based on the compiling's version I've been testing and verify whether the issue effected the ranger's function. Maybe our lastest modifications introduced new issues. I will also compile the lastest source to further verify the problem you mentioned.
>
> pengjianhua wrote:
> I'm sorry. In this patch I lacked the tomcat-annotations-api dependency package. I had fixed this patch. Thanks!
>
> pengjianhua wrote:
> Hi Colm and bhavik patel, Is there any problem now, if there is no problem, I will merge this issue.
>
> Vishal Suvagia wrote:
> Hi Pengjianhua,
> The versions for org.apache.tomcat -> annotations-api present here -> https://mvnrepository.com/artifact/org.apache.tomcat/annotations-api do not have a specific build for 7.0.82 (last stable build version is 6.0.53).
> Additionally recent fixes from tomcat devs suggest that the tomcat.annotations-api has been removed from tomcat-embed-core shipments in favour of javax.annotations-api refer -> https://bz.apache.org/bugzilla/show_bug.cgi?id=61439.
>
> pengjianhua wrote:
> Ok. Thanks. How do you think we should deal with this issue? Should we upgrade directly to tomcat7.0.83 or is there a better way to handle this issue?
Pengjianhua, Sadly looks like there is no tomcat-7.0.83 build out yet. From what I have tried we will need to add a new dependency for javax.annotation-api -> https://mvnrepository.com/artifact/javax.annotation/javax.annotation-api.
- Vishal
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62495/#review192253
-----------------------------------------------------------
On Dec. 5, 2017, 2:59 a.m., pengjianhua wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62495/
> -----------------------------------------------------------
>
> (Updated Dec. 5, 2017, 2:59 a.m.)
>
>
> Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan Neethiraj, Velmurugan Periasamy, and Qiang Zhang.
>
>
> Bugs: RANGER-1797
> https://issues.apache.org/jira/browse/RANGER-1797
>
>
> Repository: ranger
>
>
> Description
> -------
>
> [Security Vulnerability Alert] Tomcat Information leakage and remote code execution vulnerabilities.
>
> CVE ID:
> CVE-2017-12615\CVE-2017-12616
>
> Description
> CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled, it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
> CVE-2017-12616:When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80, it was possible to use a specially crafted request, bypass security constraints, or get the source code of JSPs for resources served by the VirtualDirContext, thereby cased code disclosure.
>
> Scope
> CVE-2017-12615:Apache Tomcat 7.0.0 - 7.0.79
> CVE-2017-12616:Apache Tomcat 7.0.0 - 7.0.80
>
> Solution
> The official release of the Apache Tomcat 7.0.81 version has fixed the two vulnerabilities and recommends upgrading to the latest version.
>
> Reference
> https://tomcat.apache.org/security-7.html
> http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81
> https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.82
>
>
> Diffs
> -----
>
> embeddedwebserver/pom.xml 81699573
> pom.xml 589cd6ac
> src/main/assembly/admin-web.xml aa37426f
> src/main/assembly/kms.xml 7c40ce4e
>
>
> Diff: https://reviews.apache.org/r/62495/diff/5/
>
>
> Testing
> -------
>
>
> Thanks,
>
> pengjianhua
>
>
Re: Review Request 62495: RANGER-1797:Tomcat Security Vulnerability
Alert. The version of the tomcat for ranger should upgrade to 7.0.82.
Posted by Vishal Suvagia via Review Board <no...@reviews.apache.org>.
> On Nov. 30, 2017, 9:38 a.m., Vishal Suvagia wrote:
> > pom.xml
> > Line 212 (original), 212 (patched)
> > <https://reviews.apache.org/r/62495/diff/2/?file=1850092#file1850092line212>
> >
> > @PengJianhua,
> > I used attached patch and did a build on my local machine using mvn clean compile package.
> > After that, I ran the setup for Ranger-Admin. Then I did a ranger-admin-services start. I am getting error in catalina.out file as the Tomcat server start itself is failing(PS: attached log file on apache jira).
> >
> > To resolve the issue I had to add a dependency for javax.annotation-api.
> >
> > Did the attached patch work for you without adding this dependency ? If yes Kindly share how did this work for you !
>
> pengjianhua wrote:
> Ok. I didn't add this dependency. My compiling is ok. Please delete your local maven repository. Then compile the ranger project using the following command:
> sudo mvn clean compile package assembly:assembly install -DskipTests
Pengjianhua, the compile goes through fine. But did Ranger-Admin service start using the compiled packaged bits. Are you able to access Ranger UI ?
- Vishal
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62495/#review192253
-----------------------------------------------------------
On Nov. 30, 2017, 1:55 p.m., pengjianhua wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62495/
> -----------------------------------------------------------
>
> (Updated Nov. 30, 2017, 1:55 p.m.)
>
>
> Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan Neethiraj, Velmurugan Periasamy, and Qiang Zhang.
>
>
> Bugs: RANGER-1797
> https://issues.apache.org/jira/browse/RANGER-1797
>
>
> Repository: ranger
>
>
> Description
> -------
>
> [Security Vulnerability Alert] Tomcat Information leakage and remote code execution vulnerabilities.
>
> CVE ID:
> CVE-2017-12615\CVE-2017-12616
>
> Description
> CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled, it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
> CVE-2017-12616:When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80, it was possible to use a specially crafted request, bypass security constraints, or get the source code of JSPs for resources served by the VirtualDirContext, thereby cased code disclosure.
>
> Scope
> CVE-2017-12615:Apache Tomcat 7.0.0 - 7.0.79
> CVE-2017-12616:Apache Tomcat 7.0.0 - 7.0.80
>
> Solution
> The official release of the Apache Tomcat 7.0.81 version has fixed the two vulnerabilities and recommends upgrading to the latest version.
>
> Reference
> https://tomcat.apache.org/security-7.html
> http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81
> https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.82
>
>
> Diffs
> -----
>
> pom.xml 589cd6ac
>
>
> Diff: https://reviews.apache.org/r/62495/diff/3/
>
>
> Testing
> -------
>
>
> Thanks,
>
> pengjianhua
>
>
Re: Review Request 62495: RANGER-1797:Tomcat Security Vulnerability
Alert. The version of the tomcat for ranger should upgrade to 7.0.82.
Posted by pengjianhua <pe...@zte.com.cn>.
> On 十一月 30, 2017, 9:38 a.m., Vishal Suvagia wrote:
> > pom.xml
> > Line 212 (original), 212 (patched)
> > <https://reviews.apache.org/r/62495/diff/2/?file=1850092#file1850092line212>
> >
> > @PengJianhua,
> > I used attached patch and did a build on my local machine using mvn clean compile package.
> > After that, I ran the setup for Ranger-Admin. Then I did a ranger-admin-services start. I am getting error in catalina.out file as the Tomcat server start itself is failing(PS: attached log file on apache jira).
> >
> > To resolve the issue I had to add a dependency for javax.annotation-api.
> >
> > Did the attached patch work for you without adding this dependency ? If yes Kindly share how did this work for you !
Ok. I didn't add this dependency. My compiling is ok. Please delete your local maven repository. Then compile the ranger project using the following command:
sudo mvn clean compile package assembly:assembly install -DskipTests
- pengjianhua
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62495/#review192253
-----------------------------------------------------------
On 十月 10, 2017, 7:01 a.m., pengjianhua wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62495/
> -----------------------------------------------------------
>
> (Updated 十月 10, 2017, 7:01 a.m.)
>
>
> Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan Neethiraj, Velmurugan Periasamy, and Qiang Zhang.
>
>
> Bugs: RANGER-1797
> https://issues.apache.org/jira/browse/RANGER-1797
>
>
> Repository: ranger
>
>
> Description
> -------
>
> [Security Vulnerability Alert] Tomcat Information leakage and remote code execution vulnerabilities.
>
> CVE ID:
> CVE-2017-12615\CVE-2017-12616
>
> Description
> CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled, it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
> CVE-2017-12616:When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80, it was possible to use a specially crafted request, bypass security constraints, or get the source code of JSPs for resources served by the VirtualDirContext, thereby cased code disclosure.
>
> Scope
> CVE-2017-12615:Apache Tomcat 7.0.0 - 7.0.79
> CVE-2017-12616:Apache Tomcat 7.0.0 - 7.0.80
>
> Solution
> The official release of the Apache Tomcat 7.0.81 version has fixed the two vulnerabilities and recommends upgrading to the latest version.
>
> Reference
> https://tomcat.apache.org/security-7.html
> http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81
> https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.82
>
>
> Diffs
> -----
>
> pom.xml 3958014c
>
>
> Diff: https://reviews.apache.org/r/62495/diff/2/
>
>
> Testing
> -------
>
>
> Thanks,
>
> pengjianhua
>
>
Re: Review Request 62495: RANGER-1797:Tomcat Security Vulnerability
Alert. The version of the tomcat for ranger should upgrade to 7.0.82.
Posted by pengjianhua <pe...@zte.com.cn>.
> On 十一月 30, 2017, 9:38 a.m., Vishal Suvagia wrote:
> > pom.xml
> > Line 212 (original), 212 (patched)
> > <https://reviews.apache.org/r/62495/diff/2/?file=1850092#file1850092line212>
> >
> > @PengJianhua,
> > I used attached patch and did a build on my local machine using mvn clean compile package.
> > After that, I ran the setup for Ranger-Admin. Then I did a ranger-admin-services start. I am getting error in catalina.out file as the Tomcat server start itself is failing(PS: attached log file on apache jira).
> >
> > To resolve the issue I had to add a dependency for javax.annotation-api.
> >
> > Did the attached patch work for you without adding this dependency ? If yes Kindly share how did this work for you !
>
> pengjianhua wrote:
> Ok. I didn't add this dependency. My compiling is ok. Please delete your local maven repository. Then compile the ranger project using the following command:
> sudo mvn clean compile package assembly:assembly install -DskipTests
>
> Vishal Suvagia wrote:
> Pengjianhua, the compile goes through fine. But did Ranger-Admin service start using the compiled packaged bits. Are you able to access Ranger UI ?
>
> pengjianhua wrote:
> I can access ranger UI. Your question should have nothing to do with this issue. If I guess good, you should be more in-depth understanding of how to use ranger, please refer to the manual to configure your ranger.
> If you encounter problems during use, you can email me or the community.
>
> bhavik patel wrote:
> @Pengjianhua : When I try to start Ranger-Admin and Ranger-KMS services, the service start itself is failing and also got the same error in catalina.out which Vishal has attached on jira.
>
> Not sure how it's working for you!!!
>
> Colm O hEigeartaigh wrote:
> It also fails for me with errors in catalina.out like:
>
> INFO: validateJarFile(....../lib/javax.servlet-api-3.1.0.jar) - jar not loaded. See Servlet Spec 3.0, section 10.7.2. Offending class: javax/servlet/Servlet.class
>
> pengjianhua wrote:
> I compiled the source that I built the patch.Based on the compiling's version I've been testing and verify whether the issue effected the ranger's function. Maybe our lastest modifications introduced new issues. I will also compile the lastest source to further verify the problem you mentioned.
>
> pengjianhua wrote:
> I'm sorry. In this patch I lacked the tomcat-annotations-api dependency package. I had fixed this patch. Thanks!
>
> pengjianhua wrote:
> Hi Colm and bhavik patel, Is there any problem now, if there is no problem, I will merge this issue.
>
> Vishal Suvagia wrote:
> Hi Pengjianhua,
> The versions for org.apache.tomcat -> annotations-api present here -> https://mvnrepository.com/artifact/org.apache.tomcat/annotations-api do not have a specific build for 7.0.82 (last stable build version is 6.0.53).
> Additionally recent fixes from tomcat devs suggest that the tomcat.annotations-api has been removed from tomcat-embed-core shipments in favour of javax.annotations-api refer -> https://bz.apache.org/bugzilla/show_bug.cgi?id=61439.
Ok. Thanks. How do you think we should deal with this issue? Should we upgrade directly to tomcat7.0.83 or is there a better way to handle this issue?
- pengjianhua
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62495/#review192253
-----------------------------------------------------------
On 十二月 5, 2017, 2:59 a.m., pengjianhua wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62495/
> -----------------------------------------------------------
>
> (Updated 十二月 5, 2017, 2:59 a.m.)
>
>
> Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan Neethiraj, Velmurugan Periasamy, and Qiang Zhang.
>
>
> Bugs: RANGER-1797
> https://issues.apache.org/jira/browse/RANGER-1797
>
>
> Repository: ranger
>
>
> Description
> -------
>
> [Security Vulnerability Alert] Tomcat Information leakage and remote code execution vulnerabilities.
>
> CVE ID:
> CVE-2017-12615\CVE-2017-12616
>
> Description
> CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled, it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
> CVE-2017-12616:When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80, it was possible to use a specially crafted request, bypass security constraints, or get the source code of JSPs for resources served by the VirtualDirContext, thereby cased code disclosure.
>
> Scope
> CVE-2017-12615:Apache Tomcat 7.0.0 - 7.0.79
> CVE-2017-12616:Apache Tomcat 7.0.0 - 7.0.80
>
> Solution
> The official release of the Apache Tomcat 7.0.81 version has fixed the two vulnerabilities and recommends upgrading to the latest version.
>
> Reference
> https://tomcat.apache.org/security-7.html
> http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81
> https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.82
>
>
> Diffs
> -----
>
> embeddedwebserver/pom.xml 81699573
> pom.xml 589cd6ac
> src/main/assembly/admin-web.xml aa37426f
> src/main/assembly/kms.xml 7c40ce4e
>
>
> Diff: https://reviews.apache.org/r/62495/diff/5/
>
>
> Testing
> -------
>
>
> Thanks,
>
> pengjianhua
>
>
Re: Review Request 62495: RANGER-1797:Tomcat Security Vulnerability
Alert. The version of the tomcat for ranger should upgrade to 7.0.82.
Posted by pengjianhua <pe...@zte.com.cn>.
> On 十一月 30, 2017, 9:38 a.m., Vishal Suvagia wrote:
> > pom.xml
> > Line 212 (original), 212 (patched)
> > <https://reviews.apache.org/r/62495/diff/2/?file=1850092#file1850092line212>
> >
> > @PengJianhua,
> > I used attached patch and did a build on my local machine using mvn clean compile package.
> > After that, I ran the setup for Ranger-Admin. Then I did a ranger-admin-services start. I am getting error in catalina.out file as the Tomcat server start itself is failing(PS: attached log file on apache jira).
> >
> > To resolve the issue I had to add a dependency for javax.annotation-api.
> >
> > Did the attached patch work for you without adding this dependency ? If yes Kindly share how did this work for you !
>
> pengjianhua wrote:
> Ok. I didn't add this dependency. My compiling is ok. Please delete your local maven repository. Then compile the ranger project using the following command:
> sudo mvn clean compile package assembly:assembly install -DskipTests
>
> Vishal Suvagia wrote:
> Pengjianhua, the compile goes through fine. But did Ranger-Admin service start using the compiled packaged bits. Are you able to access Ranger UI ?
>
> pengjianhua wrote:
> I can access ranger UI. Your question should have nothing to do with this issue. If I guess good, you should be more in-depth understanding of how to use ranger, please refer to the manual to configure your ranger.
> If you encounter problems during use, you can email me or the community.
>
> bhavik patel wrote:
> @Pengjianhua : When I try to start Ranger-Admin and Ranger-KMS services, the service start itself is failing and also got the same error in catalina.out which Vishal has attached on jira.
>
> Not sure how it's working for you!!!
>
> Colm O hEigeartaigh wrote:
> It also fails for me with errors in catalina.out like:
>
> INFO: validateJarFile(....../lib/javax.servlet-api-3.1.0.jar) - jar not loaded. See Servlet Spec 3.0, section 10.7.2. Offending class: javax/servlet/Servlet.class
>
> pengjianhua wrote:
> I compiled the source that I built the patch.Based on the compiling's version I've been testing and verify whether the issue effected the ranger's function. Maybe our lastest modifications introduced new issues. I will also compile the lastest source to further verify the problem you mentioned.
>
> pengjianhua wrote:
> I'm sorry. In this patch I lacked the tomcat-annotations-api dependency package. I had fixed this patch. Thanks!
Hi Colm and bhavik patel, Is there any problem now, if there is no problem, I will merge this issue.
- pengjianhua
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62495/#review192253
-----------------------------------------------------------
On 十二月 4, 2017, 8:47 a.m., pengjianhua wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62495/
> -----------------------------------------------------------
>
> (Updated 十二月 4, 2017, 8:47 a.m.)
>
>
> Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan Neethiraj, Velmurugan Periasamy, and Qiang Zhang.
>
>
> Bugs: RANGER-1797
> https://issues.apache.org/jira/browse/RANGER-1797
>
>
> Repository: ranger
>
>
> Description
> -------
>
> [Security Vulnerability Alert] Tomcat Information leakage and remote code execution vulnerabilities.
>
> CVE ID:
> CVE-2017-12615\CVE-2017-12616
>
> Description
> CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled, it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
> CVE-2017-12616:When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80, it was possible to use a specially crafted request, bypass security constraints, or get the source code of JSPs for resources served by the VirtualDirContext, thereby cased code disclosure.
>
> Scope
> CVE-2017-12615:Apache Tomcat 7.0.0 - 7.0.79
> CVE-2017-12616:Apache Tomcat 7.0.0 - 7.0.80
>
> Solution
> The official release of the Apache Tomcat 7.0.81 version has fixed the two vulnerabilities and recommends upgrading to the latest version.
>
> Reference
> https://tomcat.apache.org/security-7.html
> http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81
> https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.82
>
>
> Diffs
> -----
>
> embeddedwebserver/pom.xml 81699573
> pom.xml 589cd6ac
>
>
> Diff: https://reviews.apache.org/r/62495/diff/4/
>
>
> Testing
> -------
>
>
> Thanks,
>
> pengjianhua
>
>
Re: Review Request 62495: RANGER-1797:Tomcat Security Vulnerability
Alert. The version of the tomcat for ranger should upgrade to 7.0.82.
Posted by Vishal Suvagia via Review Board <no...@reviews.apache.org>.
> On Nov. 30, 2017, 9:38 a.m., Vishal Suvagia wrote:
> > pom.xml
> > Line 212 (original), 212 (patched)
> > <https://reviews.apache.org/r/62495/diff/2/?file=1850092#file1850092line212>
> >
> > @PengJianhua,
> > I used attached patch and did a build on my local machine using mvn clean compile package.
> > After that, I ran the setup for Ranger-Admin. Then I did a ranger-admin-services start. I am getting error in catalina.out file as the Tomcat server start itself is failing(PS: attached log file on apache jira).
> >
> > To resolve the issue I had to add a dependency for javax.annotation-api.
> >
> > Did the attached patch work for you without adding this dependency ? If yes Kindly share how did this work for you !
>
> pengjianhua wrote:
> Ok. I didn't add this dependency. My compiling is ok. Please delete your local maven repository. Then compile the ranger project using the following command:
> sudo mvn clean compile package assembly:assembly install -DskipTests
>
> Vishal Suvagia wrote:
> Pengjianhua, the compile goes through fine. But did Ranger-Admin service start using the compiled packaged bits. Are you able to access Ranger UI ?
>
> pengjianhua wrote:
> I can access ranger UI. Your question should have nothing to do with this issue. If I guess good, you should be more in-depth understanding of how to use ranger, please refer to the manual to configure your ranger.
> If you encounter problems during use, you can email me or the community.
>
> bhavik patel wrote:
> @Pengjianhua : When I try to start Ranger-Admin and Ranger-KMS services, the service start itself is failing and also got the same error in catalina.out which Vishal has attached on jira.
>
> Not sure how it's working for you!!!
>
> Colm O hEigeartaigh wrote:
> It also fails for me with errors in catalina.out like:
>
> INFO: validateJarFile(....../lib/javax.servlet-api-3.1.0.jar) - jar not loaded. See Servlet Spec 3.0, section 10.7.2. Offending class: javax/servlet/Servlet.class
>
> pengjianhua wrote:
> I compiled the source that I built the patch.Based on the compiling's version I've been testing and verify whether the issue effected the ranger's function. Maybe our lastest modifications introduced new issues. I will also compile the lastest source to further verify the problem you mentioned.
>
> pengjianhua wrote:
> I'm sorry. In this patch I lacked the tomcat-annotations-api dependency package. I had fixed this patch. Thanks!
>
> pengjianhua wrote:
> Hi Colm and bhavik patel, Is there any problem now, if there is no problem, I will merge this issue.
Hi Pengjianhua,
The versions for org.apache.tomcat -> annotations-api present here -> https://mvnrepository.com/artifact/org.apache.tomcat/annotations-api do not have a specific build for 7.0.82 (last stable build version is 6.0.53).
Additionally recent fixes from tomcat devs suggest that the tomcat.annotations-api has been removed from tomcat-embed-core shipments in favour of javax.annotations-api refer -> https://bz.apache.org/bugzilla/show_bug.cgi?id=61439.
- Vishal
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62495/#review192253
-----------------------------------------------------------
On Dec. 5, 2017, 2:59 a.m., pengjianhua wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62495/
> -----------------------------------------------------------
>
> (Updated Dec. 5, 2017, 2:59 a.m.)
>
>
> Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan Neethiraj, Velmurugan Periasamy, and Qiang Zhang.
>
>
> Bugs: RANGER-1797
> https://issues.apache.org/jira/browse/RANGER-1797
>
>
> Repository: ranger
>
>
> Description
> -------
>
> [Security Vulnerability Alert] Tomcat Information leakage and remote code execution vulnerabilities.
>
> CVE ID:
> CVE-2017-12615\CVE-2017-12616
>
> Description
> CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled, it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
> CVE-2017-12616:When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80, it was possible to use a specially crafted request, bypass security constraints, or get the source code of JSPs for resources served by the VirtualDirContext, thereby cased code disclosure.
>
> Scope
> CVE-2017-12615:Apache Tomcat 7.0.0 - 7.0.79
> CVE-2017-12616:Apache Tomcat 7.0.0 - 7.0.80
>
> Solution
> The official release of the Apache Tomcat 7.0.81 version has fixed the two vulnerabilities and recommends upgrading to the latest version.
>
> Reference
> https://tomcat.apache.org/security-7.html
> http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81
> https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.82
>
>
> Diffs
> -----
>
> embeddedwebserver/pom.xml 81699573
> pom.xml 589cd6ac
> src/main/assembly/admin-web.xml aa37426f
> src/main/assembly/kms.xml 7c40ce4e
>
>
> Diff: https://reviews.apache.org/r/62495/diff/5/
>
>
> Testing
> -------
>
>
> Thanks,
>
> pengjianhua
>
>
Re: Review Request 62495: RANGER-1797:Tomcat Security Vulnerability
Alert. The version of the tomcat for ranger should upgrade to 7.0.82.
Posted by pengjianhua <pe...@zte.com.cn>.
> On 十一月 30, 2017, 9:38 a.m., Vishal Suvagia wrote:
> > pom.xml
> > Line 212 (original), 212 (patched)
> > <https://reviews.apache.org/r/62495/diff/2/?file=1850092#file1850092line212>
> >
> > @PengJianhua,
> > I used attached patch and did a build on my local machine using mvn clean compile package.
> > After that, I ran the setup for Ranger-Admin. Then I did a ranger-admin-services start. I am getting error in catalina.out file as the Tomcat server start itself is failing(PS: attached log file on apache jira).
> >
> > To resolve the issue I had to add a dependency for javax.annotation-api.
> >
> > Did the attached patch work for you without adding this dependency ? If yes Kindly share how did this work for you !
>
> pengjianhua wrote:
> Ok. I didn't add this dependency. My compiling is ok. Please delete your local maven repository. Then compile the ranger project using the following command:
> sudo mvn clean compile package assembly:assembly install -DskipTests
>
> Vishal Suvagia wrote:
> Pengjianhua, the compile goes through fine. But did Ranger-Admin service start using the compiled packaged bits. Are you able to access Ranger UI ?
I can access ranger UI. Your question should have nothing to do with this issue. If I guess good, you should be more in-depth understanding of how to use ranger, please refer to the manual to configure your ranger.
If you encounter problems during use, you can email me or the community.
- pengjianhua
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62495/#review192253
-----------------------------------------------------------
On 十一月 30, 2017, 1:55 p.m., pengjianhua wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62495/
> -----------------------------------------------------------
>
> (Updated 十一月 30, 2017, 1:55 p.m.)
>
>
> Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan Neethiraj, Velmurugan Periasamy, and Qiang Zhang.
>
>
> Bugs: RANGER-1797
> https://issues.apache.org/jira/browse/RANGER-1797
>
>
> Repository: ranger
>
>
> Description
> -------
>
> [Security Vulnerability Alert] Tomcat Information leakage and remote code execution vulnerabilities.
>
> CVE ID:
> CVE-2017-12615\CVE-2017-12616
>
> Description
> CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled, it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
> CVE-2017-12616:When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80, it was possible to use a specially crafted request, bypass security constraints, or get the source code of JSPs for resources served by the VirtualDirContext, thereby cased code disclosure.
>
> Scope
> CVE-2017-12615:Apache Tomcat 7.0.0 - 7.0.79
> CVE-2017-12616:Apache Tomcat 7.0.0 - 7.0.80
>
> Solution
> The official release of the Apache Tomcat 7.0.81 version has fixed the two vulnerabilities and recommends upgrading to the latest version.
>
> Reference
> https://tomcat.apache.org/security-7.html
> http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81
> https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.82
>
>
> Diffs
> -----
>
> pom.xml 589cd6ac
>
>
> Diff: https://reviews.apache.org/r/62495/diff/3/
>
>
> Testing
> -------
>
>
> Thanks,
>
> pengjianhua
>
>
Re: Review Request 62495: RANGER-1797:Tomcat Security Vulnerability
Alert. The version of the tomcat for ranger should upgrade to 7.0.82.
Posted by bhavik patel <bh...@gmail.com>.
> On Nov. 30, 2017, 9:38 a.m., Vishal Suvagia wrote:
> > pom.xml
> > Line 212 (original), 212 (patched)
> > <https://reviews.apache.org/r/62495/diff/2/?file=1850092#file1850092line212>
> >
> > @PengJianhua,
> > I used attached patch and did a build on my local machine using mvn clean compile package.
> > After that, I ran the setup for Ranger-Admin. Then I did a ranger-admin-services start. I am getting error in catalina.out file as the Tomcat server start itself is failing(PS: attached log file on apache jira).
> >
> > To resolve the issue I had to add a dependency for javax.annotation-api.
> >
> > Did the attached patch work for you without adding this dependency ? If yes Kindly share how did this work for you !
>
> pengjianhua wrote:
> Ok. I didn't add this dependency. My compiling is ok. Please delete your local maven repository. Then compile the ranger project using the following command:
> sudo mvn clean compile package assembly:assembly install -DskipTests
>
> Vishal Suvagia wrote:
> Pengjianhua, the compile goes through fine. But did Ranger-Admin service start using the compiled packaged bits. Are you able to access Ranger UI ?
>
> pengjianhua wrote:
> I can access ranger UI. Your question should have nothing to do with this issue. If I guess good, you should be more in-depth understanding of how to use ranger, please refer to the manual to configure your ranger.
> If you encounter problems during use, you can email me or the community.
@Pengjianhua : When I try to start Ranger-Admin and Ranger-KMS services, the service start itself is failing and also got the same error in catalina.out which Vishal has attached on jira.
Not sure how it's working for you!!!
- bhavik
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62495/#review192253
-----------------------------------------------------------
On Nov. 30, 2017, 1:55 p.m., pengjianhua wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62495/
> -----------------------------------------------------------
>
> (Updated Nov. 30, 2017, 1:55 p.m.)
>
>
> Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan Neethiraj, Velmurugan Periasamy, and Qiang Zhang.
>
>
> Bugs: RANGER-1797
> https://issues.apache.org/jira/browse/RANGER-1797
>
>
> Repository: ranger
>
>
> Description
> -------
>
> [Security Vulnerability Alert] Tomcat Information leakage and remote code execution vulnerabilities.
>
> CVE ID:
> CVE-2017-12615\CVE-2017-12616
>
> Description
> CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled, it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
> CVE-2017-12616:When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80, it was possible to use a specially crafted request, bypass security constraints, or get the source code of JSPs for resources served by the VirtualDirContext, thereby cased code disclosure.
>
> Scope
> CVE-2017-12615:Apache Tomcat 7.0.0 - 7.0.79
> CVE-2017-12616:Apache Tomcat 7.0.0 - 7.0.80
>
> Solution
> The official release of the Apache Tomcat 7.0.81 version has fixed the two vulnerabilities and recommends upgrading to the latest version.
>
> Reference
> https://tomcat.apache.org/security-7.html
> http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81
> https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.82
>
>
> Diffs
> -----
>
> pom.xml 589cd6ac
>
>
> Diff: https://reviews.apache.org/r/62495/diff/3/
>
>
> Testing
> -------
>
>
> Thanks,
>
> pengjianhua
>
>
Re: Review Request 62495: RANGER-1797:Tomcat Security Vulnerability
Alert. The version of the tomcat for ranger should upgrade to 7.0.82.
Posted by pengjianhua <pe...@zte.com.cn>.
> On 十一月 30, 2017, 9:38 a.m., Vishal Suvagia wrote:
> > pom.xml
> > Line 212 (original), 212 (patched)
> > <https://reviews.apache.org/r/62495/diff/2/?file=1850092#file1850092line212>
> >
> > @PengJianhua,
> > I used attached patch and did a build on my local machine using mvn clean compile package.
> > After that, I ran the setup for Ranger-Admin. Then I did a ranger-admin-services start. I am getting error in catalina.out file as the Tomcat server start itself is failing(PS: attached log file on apache jira).
> >
> > To resolve the issue I had to add a dependency for javax.annotation-api.
> >
> > Did the attached patch work for you without adding this dependency ? If yes Kindly share how did this work for you !
>
> pengjianhua wrote:
> Ok. I didn't add this dependency. My compiling is ok. Please delete your local maven repository. Then compile the ranger project using the following command:
> sudo mvn clean compile package assembly:assembly install -DskipTests
>
> Vishal Suvagia wrote:
> Pengjianhua, the compile goes through fine. But did Ranger-Admin service start using the compiled packaged bits. Are you able to access Ranger UI ?
>
> pengjianhua wrote:
> I can access ranger UI. Your question should have nothing to do with this issue. If I guess good, you should be more in-depth understanding of how to use ranger, please refer to the manual to configure your ranger.
> If you encounter problems during use, you can email me or the community.
>
> bhavik patel wrote:
> @Pengjianhua : When I try to start Ranger-Admin and Ranger-KMS services, the service start itself is failing and also got the same error in catalina.out which Vishal has attached on jira.
>
> Not sure how it's working for you!!!
>
> Colm O hEigeartaigh wrote:
> It also fails for me with errors in catalina.out like:
>
> INFO: validateJarFile(....../lib/javax.servlet-api-3.1.0.jar) - jar not loaded. See Servlet Spec 3.0, section 10.7.2. Offending class: javax/servlet/Servlet.class
>
> pengjianhua wrote:
> I compiled the source that I built the patch.Based on the compiling's version I've been testing and verify whether the issue effected the ranger's function. Maybe our lastest modifications introduced new issues. I will also compile the lastest source to further verify the problem you mentioned.
I'm sorry. In this patch I lacked the tomcat-annotations-api dependency package. I had fixed this patch. Thanks!
- pengjianhua
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62495/#review192253
-----------------------------------------------------------
On 十一月 30, 2017, 1:55 p.m., pengjianhua wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62495/
> -----------------------------------------------------------
>
> (Updated 十一月 30, 2017, 1:55 p.m.)
>
>
> Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan Neethiraj, Velmurugan Periasamy, and Qiang Zhang.
>
>
> Bugs: RANGER-1797
> https://issues.apache.org/jira/browse/RANGER-1797
>
>
> Repository: ranger
>
>
> Description
> -------
>
> [Security Vulnerability Alert] Tomcat Information leakage and remote code execution vulnerabilities.
>
> CVE ID:
> CVE-2017-12615\CVE-2017-12616
>
> Description
> CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled, it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
> CVE-2017-12616:When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80, it was possible to use a specially crafted request, bypass security constraints, or get the source code of JSPs for resources served by the VirtualDirContext, thereby cased code disclosure.
>
> Scope
> CVE-2017-12615:Apache Tomcat 7.0.0 - 7.0.79
> CVE-2017-12616:Apache Tomcat 7.0.0 - 7.0.80
>
> Solution
> The official release of the Apache Tomcat 7.0.81 version has fixed the two vulnerabilities and recommends upgrading to the latest version.
>
> Reference
> https://tomcat.apache.org/security-7.html
> http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81
> https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.82
>
>
> Diffs
> -----
>
> pom.xml 589cd6ac
>
>
> Diff: https://reviews.apache.org/r/62495/diff/3/
>
>
> Testing
> -------
>
>
> Thanks,
>
> pengjianhua
>
>
Re: Review Request 62495: RANGER-1797:Tomcat Security Vulnerability
Alert. The version of the tomcat for ranger should upgrade to 7.0.82.
Posted by Vishal Suvagia via Review Board <no...@reviews.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62495/#review192253
-----------------------------------------------------------
pom.xml
Line 212 (original), 212 (patched)
<https://reviews.apache.org/r/62495/#comment270290>
@PengJianhua,
I used attached patch and did a build on my local machine using mvn clean compile package.
After that, I ran the setup for Ranger-Admin. Then I did a ranger-admin-services start. I am getting error in catalina.out file as the Tomcat server start itself is failing(PS: attached log file on apache jira).
To resolve the issue I had to add a dependency for javax.annotation-api.
Did the attached patch work for you without adding this dependency ? If yes Kindly share how did this work for you !
- Vishal Suvagia
On Oct. 10, 2017, 7:01 a.m., pengjianhua wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62495/
> -----------------------------------------------------------
>
> (Updated Oct. 10, 2017, 7:01 a.m.)
>
>
> Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan Neethiraj, Velmurugan Periasamy, and Qiang Zhang.
>
>
> Bugs: RANGER-1797
> https://issues.apache.org/jira/browse/RANGER-1797
>
>
> Repository: ranger
>
>
> Description
> -------
>
> [Security Vulnerability Alert] Tomcat Information leakage and remote code execution vulnerabilities.
>
> CVE ID:
> CVE-2017-12615\CVE-2017-12616
>
> Description
> CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled, it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
> CVE-2017-12616:When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80, it was possible to use a specially crafted request, bypass security constraints, or get the source code of JSPs for resources served by the VirtualDirContext, thereby cased code disclosure.
>
> Scope
> CVE-2017-12615:Apache Tomcat 7.0.0 - 7.0.79
> CVE-2017-12616:Apache Tomcat 7.0.0 - 7.0.80
>
> Solution
> The official release of the Apache Tomcat 7.0.81 version has fixed the two vulnerabilities and recommends upgrading to the latest version.
>
> Reference
> https://tomcat.apache.org/security-7.html
> http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81
> https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.82
>
>
> Diffs
> -----
>
> pom.xml 3958014c
>
>
> Diff: https://reviews.apache.org/r/62495/diff/2/
>
>
> Testing
> -------
>
>
> Thanks,
>
> pengjianhua
>
>
Re: Review Request 62495: RANGER-1797:Tomcat Security Vulnerability
Alert. The version of the tomcat for ranger should upgrade to 7.0.82.
Posted by bhavik patel <bh...@gmail.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62495/#review192836
-----------------------------------------------------------
Ship it!
Ship It!
- bhavik patel
On Dec. 5, 2017, 2:59 a.m., pengjianhua wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62495/
> -----------------------------------------------------------
>
> (Updated Dec. 5, 2017, 2:59 a.m.)
>
>
> Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan Neethiraj, Velmurugan Periasamy, and Qiang Zhang.
>
>
> Bugs: RANGER-1797
> https://issues.apache.org/jira/browse/RANGER-1797
>
>
> Repository: ranger
>
>
> Description
> -------
>
> [Security Vulnerability Alert] Tomcat Information leakage and remote code execution vulnerabilities.
>
> CVE ID:
> CVE-2017-12615\CVE-2017-12616
>
> Description
> CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled, it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
> CVE-2017-12616:When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80, it was possible to use a specially crafted request, bypass security constraints, or get the source code of JSPs for resources served by the VirtualDirContext, thereby cased code disclosure.
>
> Scope
> CVE-2017-12615:Apache Tomcat 7.0.0 - 7.0.79
> CVE-2017-12616:Apache Tomcat 7.0.0 - 7.0.80
>
> Solution
> The official release of the Apache Tomcat 7.0.81 version has fixed the two vulnerabilities and recommends upgrading to the latest version.
>
> Reference
> https://tomcat.apache.org/security-7.html
> http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81
> https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.82
>
>
> Diffs
> -----
>
> embeddedwebserver/pom.xml 81699573
> pom.xml 589cd6ac
> src/main/assembly/admin-web.xml aa37426f
> src/main/assembly/kms.xml 7c40ce4e
>
>
> Diff: https://reviews.apache.org/r/62495/diff/5/
>
>
> Testing
> -------
>
>
> Thanks,
>
> pengjianhua
>
>
Re: Review Request 62495: RANGER-1797:Tomcat Security Vulnerability
Alert. The version of the tomcat for ranger should upgrade to 7.0.82.
Posted by pengjianhua <pe...@zte.com.cn>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62495/
-----------------------------------------------------------
(Updated 十二月 5, 2017, 2:59 a.m.)
Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan Neethiraj, Velmurugan Periasamy, and Qiang Zhang.
Bugs: RANGER-1797
https://issues.apache.org/jira/browse/RANGER-1797
Repository: ranger
Description
-------
[Security Vulnerability Alert] Tomcat Information leakage and remote code execution vulnerabilities.
CVE ID:
CVE-2017-12615\CVE-2017-12616
Description
CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled, it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
CVE-2017-12616:When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80, it was possible to use a specially crafted request, bypass security constraints, or get the source code of JSPs for resources served by the VirtualDirContext, thereby cased code disclosure.
Scope
CVE-2017-12615:Apache Tomcat 7.0.0 - 7.0.79
CVE-2017-12616:Apache Tomcat 7.0.0 - 7.0.80
Solution
The official release of the Apache Tomcat 7.0.81 version has fixed the two vulnerabilities and recommends upgrading to the latest version.
Reference
https://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81
https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.82
Diffs (updated)
-----
embeddedwebserver/pom.xml 81699573
pom.xml 589cd6ac
src/main/assembly/admin-web.xml aa37426f
src/main/assembly/kms.xml 7c40ce4e
Diff: https://reviews.apache.org/r/62495/diff/5/
Changes: https://reviews.apache.org/r/62495/diff/4-5/
Testing
-------
Thanks,
pengjianhua
Re: Review Request 62495: RANGER-1797:Tomcat Security Vulnerability
Alert. The version of the tomcat for ranger should upgrade to 7.0.82.
Posted by pengjianhua <pe...@zte.com.cn>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62495/
-----------------------------------------------------------
(Updated 十二月 4, 2017, 8:47 a.m.)
Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan Neethiraj, Velmurugan Periasamy, and Qiang Zhang.
Bugs: RANGER-1797
https://issues.apache.org/jira/browse/RANGER-1797
Repository: ranger
Description
-------
[Security Vulnerability Alert] Tomcat Information leakage and remote code execution vulnerabilities.
CVE ID:
CVE-2017-12615\CVE-2017-12616
Description
CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled, it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
CVE-2017-12616:When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80, it was possible to use a specially crafted request, bypass security constraints, or get the source code of JSPs for resources served by the VirtualDirContext, thereby cased code disclosure.
Scope
CVE-2017-12615:Apache Tomcat 7.0.0 - 7.0.79
CVE-2017-12616:Apache Tomcat 7.0.0 - 7.0.80
Solution
The official release of the Apache Tomcat 7.0.81 version has fixed the two vulnerabilities and recommends upgrading to the latest version.
Reference
https://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81
https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.82
Diffs (updated)
-----
embeddedwebserver/pom.xml 81699573
pom.xml 589cd6ac
Diff: https://reviews.apache.org/r/62495/diff/4/
Changes: https://reviews.apache.org/r/62495/diff/3-4/
Testing
-------
Thanks,
pengjianhua
Re: Review Request 62495: RANGER-1797:Tomcat Security Vulnerability
Alert. The version of the tomcat for ranger should upgrade to 7.0.82.
Posted by Qiang Zhang <zh...@zte.com.cn>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62495/#review192451
-----------------------------------------------------------
Ship it!
Ship It!
- Qiang Zhang
On Nov. 30, 2017, 1:55 p.m., pengjianhua wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62495/
> -----------------------------------------------------------
>
> (Updated Nov. 30, 2017, 1:55 p.m.)
>
>
> Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan Neethiraj, Velmurugan Periasamy, and Qiang Zhang.
>
>
> Bugs: RANGER-1797
> https://issues.apache.org/jira/browse/RANGER-1797
>
>
> Repository: ranger
>
>
> Description
> -------
>
> [Security Vulnerability Alert] Tomcat Information leakage and remote code execution vulnerabilities.
>
> CVE ID:
> CVE-2017-12615\CVE-2017-12616
>
> Description
> CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled, it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
> CVE-2017-12616:When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80, it was possible to use a specially crafted request, bypass security constraints, or get the source code of JSPs for resources served by the VirtualDirContext, thereby cased code disclosure.
>
> Scope
> CVE-2017-12615:Apache Tomcat 7.0.0 - 7.0.79
> CVE-2017-12616:Apache Tomcat 7.0.0 - 7.0.80
>
> Solution
> The official release of the Apache Tomcat 7.0.81 version has fixed the two vulnerabilities and recommends upgrading to the latest version.
>
> Reference
> https://tomcat.apache.org/security-7.html
> http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81
> https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.82
>
>
> Diffs
> -----
>
> pom.xml 589cd6ac
>
>
> Diff: https://reviews.apache.org/r/62495/diff/3/
>
>
> Testing
> -------
>
>
> Thanks,
>
> pengjianhua
>
>
Re: Review Request 62495: RANGER-1797:Tomcat Security Vulnerability
Alert. The version of the tomcat for ranger should upgrade to 7.0.82.
Posted by pengjianhua <pe...@zte.com.cn>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62495/
-----------------------------------------------------------
(Updated 十一月 30, 2017, 1:55 p.m.)
Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan Neethiraj, Velmurugan Periasamy, and Qiang Zhang.
Bugs: RANGER-1797
https://issues.apache.org/jira/browse/RANGER-1797
Repository: ranger
Description
-------
[Security Vulnerability Alert] Tomcat Information leakage and remote code execution vulnerabilities.
CVE ID:
CVE-2017-12615\CVE-2017-12616
Description
CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled, it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
CVE-2017-12616:When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80, it was possible to use a specially crafted request, bypass security constraints, or get the source code of JSPs for resources served by the VirtualDirContext, thereby cased code disclosure.
Scope
CVE-2017-12615:Apache Tomcat 7.0.0 - 7.0.79
CVE-2017-12616:Apache Tomcat 7.0.0 - 7.0.80
Solution
The official release of the Apache Tomcat 7.0.81 version has fixed the two vulnerabilities and recommends upgrading to the latest version.
Reference
https://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81
https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.82
Diffs (updated)
-----
pom.xml 589cd6ac
Diff: https://reviews.apache.org/r/62495/diff/3/
Changes: https://reviews.apache.org/r/62495/diff/2-3/
Testing
-------
Thanks,
pengjianhua
Re: Review Request 62495: RANGER-1797:Tomcat Security Vulnerability
Alert. The version of the tomcat for ranger should upgrade to 7.0.82.
Posted by pengjianhua <pe...@zte.com.cn>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62495/
-----------------------------------------------------------
(Updated Oct. 10, 2017, 7:01 a.m.)
Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan Neethiraj, Velmurugan Periasamy, and Qiang Zhang.
Bugs: RANGER-1797
https://issues.apache.org/jira/browse/RANGER-1797
Repository: ranger
Description
-------
[Security Vulnerability Alert] Tomcat Information leakage and remote code execution vulnerabilities.
CVE ID:
CVE-2017-12615\CVE-2017-12616
Description
CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled, it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
CVE-2017-12616:When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80, it was possible to use a specially crafted request, bypass security constraints, or get the source code of JSPs for resources served by the VirtualDirContext, thereby cased code disclosure.
Scope
CVE-2017-12615:Apache Tomcat 7.0.0 - 7.0.79
CVE-2017-12616:Apache Tomcat 7.0.0 - 7.0.80
Solution
The official release of the Apache Tomcat 7.0.81 version has fixed the two vulnerabilities and recommends upgrading to the latest version.
Reference
https://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81
https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.82
Diffs (updated)
-----
pom.xml 3958014c
Diff: https://reviews.apache.org/r/62495/diff/2/
Changes: https://reviews.apache.org/r/62495/diff/1-2/
Testing
-------
Thanks,
pengjianhua
Re: Review Request 62495: RANGER-1797:Tomcat Security Vulnerability
Alert. The version of the tomcat for ranger should upgrade to 7.0.82.
Posted by pengjianhua <pe...@zte.com.cn>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62495/
-----------------------------------------------------------
(Updated Oct. 10, 2017, 6:21 a.m.)
Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan Neethiraj, Velmurugan Periasamy, and Qiang Zhang.
Summary (updated)
-----------------
RANGER-1797:Tomcat Security Vulnerability Alert. The version of the tomcat for ranger should upgrade to 7.0.82.
Bugs: RANGER-1797
https://issues.apache.org/jira/browse/RANGER-1797
Repository: ranger
Description (updated)
-------
[Security Vulnerability Alert] Tomcat Information leakage and remote code execution vulnerabilities.
CVE ID:
CVE-2017-12615\CVE-2017-12616
Description
CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled, it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
CVE-2017-12616:When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80, it was possible to use a specially crafted request, bypass security constraints, or get the source code of JSPs for resources served by the VirtualDirContext, thereby cased code disclosure.
Scope
CVE-2017-12615:Apache Tomcat 7.0.0 - 7.0.79
CVE-2017-12616:Apache Tomcat 7.0.0 - 7.0.80
Solution
The official release of the Apache Tomcat 7.0.81 version has fixed the two vulnerabilities and recommends upgrading to the latest version.
Reference
https://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81
https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.82
Diffs
-----
pom.xml 3958014c
Diff: https://reviews.apache.org/r/62495/diff/1/
Testing
-------
Thanks,
pengjianhua
Re: Review Request 62495: RANGER-1797:Tomcat Security Vulnerability
Alert. The version of the tomcat for ranger should upgrade to 7.0.81.
Posted by pengjianhua <pe...@zte.com.cn>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62495/
-----------------------------------------------------------
(Updated 九月 22, 2017, 8:35 a.m.)
Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan Neethiraj, Velmurugan Periasamy, and Qiang Zhang.
Bugs: RANGER-1797
https://issues.apache.org/jira/browse/RANGER-1797
Repository: ranger
Description (updated)
-------
[Security Vulnerability Alert] Tomcat Information leakage and remote code execution vulnerabilities.
CVE ID:
CVE-2017-12615\CVE-2017-12616
Description
CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled, it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
CVE-2017-12616:When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80, it was possible to use a specially crafted request, bypass security constraints, or get the source code of JSPs for resources served by the VirtualDirContext, thereby cased code disclosure.
Scope
CVE-2017-12615:Apache Tomcat 7.0.0 - 7.0.79
CVE-2017-12616:Apache Tomcat 7.0.0 - 7.0.80
Solution
The official release of the Apache Tomcat 7.0.81 version has fixed the two vulnerabilities and recommends upgrading to the latest version.
Reference
https://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81
Diffs
-----
pom.xml 3958014c
Diff: https://reviews.apache.org/r/62495/diff/1/
Testing
-------
Thanks,
pengjianhua