You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Anurag (Jira)" <ji...@apache.org> on 2022/06/13 06:51:00 UTC

[jira] [Updated] (RANGER-3785) CVSS-V3 >= 10 vulnerability in Apache Ranger 2.2.0

     [ https://issues.apache.org/jira/browse/RANGER-3785?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Anurag updated RANGER-3785:
---------------------------
    Summary: CVSS-V3 >= 10 vulnerability in Apache Ranger 2.2.0  (was: CVSS V3 10 vulnerability in Apache Ranger 2.2.0)

> CVSS-V3 >= 10 vulnerability in Apache Ranger 2.2.0
> --------------------------------------------------
>
>                 Key: RANGER-3785
>                 URL: https://issues.apache.org/jira/browse/RANGER-3785
>             Project: Ranger
>          Issue Type: Bug
>          Components: Ranger
>    Affects Versions: 2.2.0
>            Reporter: Anurag
>            Priority: Critical
>
> Hi Team
>  
>  We have found two CVSS V3 >= 10 vulnerabilities in the latest Ranger Admin release. Kindly help us patch this at the earliest, since these are critical and may lead of unforeseen adversities. 
>  
>  Details of the vulnerability:
>  
>  
> |Summary|CVE|Severity|Component|CVSS V3|Source Comp Id|Details|
> |Apache Log4j2 2.0-beta9 through 2.15.0|CVE-2021-44228|Critical|org.apache.logging.log4j:log4j-core|10.0/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H|gav://org.apache.logging.log4j:log4j-core:2.13.3|Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.|
> |FasterXML jackson-databind|CVE-2018-14721|Critical|com.fasterxml.jackson.core:jackson-databind|10.0/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H|gav://com.fasterxml.jackson.core:jackson-databind:2.4.0|FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.|
>  
> Thanks and Regards
> Anurag



--
This message was sent by Atlassian Jira
(v8.20.7#820007)