You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Qiang Zhang <zh...@zte.com.cn> on 2018/03/08 08:18:24 UTC
Review Request 65980: Tomcat Security Vulnerability Alert. The
version of the tomcat for ranger should upgrade to 7.0.85.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/65980/
-----------------------------------------------------------
Review request for ranger, Ankita Sinha, Don Bosco Durai, Colm O hEigeartaigh, Gautam Borad, Madhan Neethiraj, pengjianhua, Ramesh Mani, Selvamohan Neethiraj, sam rome, and Velmurugan Periasamy.
Bugs: RANGER-1994
https://issues.apache.org/jira/browse/RANGER-1994
Repository: ranger
Description
-------
[SECURITY] CVE-2018-1305 Security constraint annotations applied too late
CVE-2018-1305 Security constraint annotations applied too late
Severity: High
Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.4 Apache Tomcat 8.5.0 to 8.5.27 Apache Tomcat 8.0.0.RC1 to 8.0.49 Apache Tomcat 7.0.0 to 7.0.84
Description: Security constraints defined by annotations of Servlets were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.
Mitigation: Users of the affected versions should apply one of the following mitigations. Upgrade to: - Apache Tomcat 9.0.5 or later - Apache Tomcat 8.5.28 or later - Apache Tomcat 8.0.50 or later - Apache Tomcat 7.0.85 or later
References:https://lists.apache.org/thread.html/d3354bb0a4eda4acc0a66f3eb24a213fdb75d12c7d16060b23e65781@%3Cannounce.tomcat.apache.org%3E
Diffs
-----
pom.xml d6f98b4
Diff: https://reviews.apache.org/r/65980/diff/1/
Testing
-------
Thanks,
Qiang Zhang
Re: Review Request 65980: Tomcat Security Vulnerability Alert. The
version of the tomcat for ranger should upgrade to 7.0.85.
Posted by Qiang Zhang <zh...@zte.com.cn>.
> On 三月 8, 2018, 9:04 a.m., Velmurugan Periasamy wrote:
> > pom.xml
> > Line 213 (original), 213 (patched)
> > <https://reviews.apache.org/r/65980/diff/1/?file=1972547#file1972547line213>
> >
> > Can you please provide details on testing done?
I am verifying the issue according to “Testing Done”
- Qiang
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/65980/#review198865
-----------------------------------------------------------
On 三月 8, 2018, 8:18 a.m., Qiang Zhang wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/65980/
> -----------------------------------------------------------
>
> (Updated 三月 8, 2018, 8:18 a.m.)
>
>
> Review request for ranger, Ankita Sinha, Don Bosco Durai, Colm O hEigeartaigh, Gautam Borad, Madhan Neethiraj, pengjianhua, Ramesh Mani, Selvamohan Neethiraj, sam rome, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-1994
> https://issues.apache.org/jira/browse/RANGER-1994
>
>
> Repository: ranger
>
>
> Description
> -------
>
> [SECURITY] CVE-2018-1305 Security constraint annotations applied too late
>
> CVE-2018-1305 Security constraint annotations applied too late
>
> Severity: High
>
> Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.4 Apache Tomcat 8.5.0 to 8.5.27 Apache Tomcat 8.0.0.RC1 to 8.0.49 Apache Tomcat 7.0.0 to 7.0.84
>
> Description: Security constraints defined by annotations of Servlets were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.
>
> Mitigation: Users of the affected versions should apply one of the following mitigations. Upgrade to: - Apache Tomcat 9.0.5 or later - Apache Tomcat 8.5.28 or later - Apache Tomcat 8.0.50 or later - Apache Tomcat 7.0.85 or later
>
> References:https://lists.apache.org/thread.html/d3354bb0a4eda4acc0a66f3eb24a213fdb75d12c7d16060b23e65781@%3Cannounce.tomcat.apache.org%3E
>
>
> Diffs
> -----
>
> pom.xml d6f98b4
>
>
> Diff: https://reviews.apache.org/r/65980/diff/1/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Qiang Zhang
>
>
Re: Review Request 65980: Tomcat Security Vulnerability Alert. The
version of the tomcat for ranger should upgrade to 7.0.85.
Posted by Velmurugan Periasamy <vp...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/65980/#review198865
-----------------------------------------------------------
pom.xml
Line 213 (original), 213 (patched)
<https://reviews.apache.org/r/65980/#comment279116>
Can you please provide details on testing done?
- Velmurugan Periasamy
On March 8, 2018, 8:18 a.m., Qiang Zhang wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/65980/
> -----------------------------------------------------------
>
> (Updated March 8, 2018, 8:18 a.m.)
>
>
> Review request for ranger, Ankita Sinha, Don Bosco Durai, Colm O hEigeartaigh, Gautam Borad, Madhan Neethiraj, pengjianhua, Ramesh Mani, Selvamohan Neethiraj, sam rome, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-1994
> https://issues.apache.org/jira/browse/RANGER-1994
>
>
> Repository: ranger
>
>
> Description
> -------
>
> [SECURITY] CVE-2018-1305 Security constraint annotations applied too late
>
> CVE-2018-1305 Security constraint annotations applied too late
>
> Severity: High
>
> Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.4 Apache Tomcat 8.5.0 to 8.5.27 Apache Tomcat 8.0.0.RC1 to 8.0.49 Apache Tomcat 7.0.0 to 7.0.84
>
> Description: Security constraints defined by annotations of Servlets were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.
>
> Mitigation: Users of the affected versions should apply one of the following mitigations. Upgrade to: - Apache Tomcat 9.0.5 or later - Apache Tomcat 8.5.28 or later - Apache Tomcat 8.0.50 or later - Apache Tomcat 7.0.85 or later
>
> References:https://lists.apache.org/thread.html/d3354bb0a4eda4acc0a66f3eb24a213fdb75d12c7d16060b23e65781@%3Cannounce.tomcat.apache.org%3E
>
>
> Diffs
> -----
>
> pom.xml d6f98b4
>
>
> Diff: https://reviews.apache.org/r/65980/diff/1/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Qiang Zhang
>
>
Re: Review Request 65980: Tomcat Security Vulnerability Alert. The
version of the tomcat for ranger should upgrade to 7.0.85.
Posted by Zsombor Gegesy <zs...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/65980/#review199748
-----------------------------------------------------------
Ship it!
Ship It!
- Zsombor Gegesy
On March 9, 2018, 3:41 a.m., Qiang Zhang wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/65980/
> -----------------------------------------------------------
>
> (Updated March 9, 2018, 3:41 a.m.)
>
>
> Review request for ranger, Ankita Sinha, Don Bosco Durai, Colm O hEigeartaigh, Gautam Borad, Madhan Neethiraj, pengjianhua, Ramesh Mani, Selvamohan Neethiraj, sam rome, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-1994
> https://issues.apache.org/jira/browse/RANGER-1994
>
>
> Repository: ranger
>
>
> Description
> -------
>
> [SECURITY] CVE-2018-1305 Security constraint annotations applied too late
>
> CVE-2018-1305 Security constraint annotations applied too late
>
> Severity: High
>
> Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.4 Apache Tomcat 8.5.0 to 8.5.27 Apache Tomcat 8.0.0.RC1 to 8.0.49 Apache Tomcat 7.0.0 to 7.0.84
>
> Description: Security constraints defined by annotations of Servlets were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.
>
> Mitigation: Users of the affected versions should apply one of the following mitigations. Upgrade to: - Apache Tomcat 9.0.5 or later - Apache Tomcat 8.5.28 or later - Apache Tomcat 8.0.50 or later - Apache Tomcat 7.0.85 or later
>
> References:https://lists.apache.org/thread.html/d3354bb0a4eda4acc0a66f3eb24a213fdb75d12c7d16060b23e65781@%3Cannounce.tomcat.apache.org%3E
>
>
> Diffs
> -----
>
> pom.xml d6f98b4
>
>
> Diff: https://reviews.apache.org/r/65980/diff/1/
>
>
> Testing
> -------
>
> 1. Modify the ssl configuration item in install.properties for the Ranger Admin.
> #SSL config
> db_ssl_enabled=true
> db_ssl_required=true
> db_ssl_verifyServerCertificate=true
> javax_net_ssl_keyStore=/opt/ranger-1.1.0-admin/ssl/keystore
> javax_net_ssl_keyStorePassword=hdp1234$
> javax_net_ssl_trustStore=/opt/ranger-1.1.0-admin/ssl/truststore
> javax_net_ssl_trustStorePassword=hdp1234$
> ...
> #
> # ------- PolicyManager CONFIG ----------------
> #
> policymgr_external_url=https://localhost:6182
> policymgr_http_enabled=false
> policymgr_https_keystore_file=/opt/ranger-1.1.0-admin/ssl/rangertomcatverify.jks
> policymgr_https_keystore_keyalias=rangertomcatverify
> policymgr_https_keystore_password=hdp1234$
> 2. Install the Ranger Admin
>
> 3. Modify the ssl configuration item in install.properties for the usersync.
> #
> # POLICY_MGR_URL = http://policymanager.xasecure.net:6080
> #
> POLICY_MGR_URL = https://sslrangerserver:6182
> # SSL Authentication
> AUTH_SSL_ENABLED=false
> AUTH_SSL_KEYSTORE_FILE=/opt/ranger-1.1.0-admin/ssl/keystore
> AUTH_SSL_KEYSTORE_PASSWORD=hdp1234$
> AUTH_SSL_TRUSTSTORE_FILE=/opt/ranger-1.1.0-admin/ssl/truststore
> AUTH_SSL_TRUSTSTORE_PASSWORD=hdp1234$
> 3. Install the Ranger usersync
>
> 4. Modified the ssl configuration item in install.properties for the kms.
> #
> # POLICY_MGR_URL = http://policymanager.xasecure.net:6080
> #
> POLICY_MGR_URL = https://sslrangerserver:6182
> db_ssl_enabled=true
> db_ssl_required=true
> db_ssl_verifyServerCertificate=true
> db_ssl_auth_type=2-way
> javax_net_ssl_keyStore=/opt/ranger-1.1.0-admin/ssl/keystore
> javax_net_ssl_keyStorePassword=hdp1234$
> javax_net_ssl_trustStore=/opt/ranger-1.1.0-admin/ssl/truststore
> javax_net_ssl_trustStorePassword=hdp1234$
> #
> # SSL Client Certificate Information
> #
> SSL_KEYSTORE_FILE_PATH=/opt/ranger-1.1.0-admin/ssl/rangertomcatverify-keystore.jks
> SSL_KEYSTORE_PASSWORD=myKeyFilePassword
> SSL_TRUSTSTORE_FILE_PATH=/opt/ranger-1.1.0-admin/ssl/rangertomcatverify-truststore.jks
> SSL_TRUSTSTORE_PASSWORD=changeit
> 5. Install the KMS
>
> 6. Modified the ssl configuration item in install.properties for plugins
> #
> # POLICY_MGR_URL = http://policymanager.xasecure.net:6080
> #
> POLICY_MGR_URL = https://sslrangerserver:6182
> #
> # SSL Client Certificate Information
> #
> SSL_KEYSTORE_FILE_PATH=/opt/ranger-1.1.0-admin/ssl/rangertomcatverify-keystore.jks
> SSL_KEYSTORE_PASSWORD=myKeyFilePassword
> SSL_TRUSTSTORE_FILE_PATH=/opt/ranger-1.1.0-admin/ssl/rangertomcatverify-truststore.jks
> SSL_TRUSTSTORE_PASSWORD=changeit
> 7. Install plugins
>
>
> Thanks,
>
> Qiang Zhang
>
>
Re: Review Request 65980: Tomcat Security Vulnerability Alert. The
version of the tomcat for ranger should upgrade to 7.0.85.
Posted by Qiang Zhang <zh...@zte.com.cn>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/65980/
-----------------------------------------------------------
(Updated 三月 9, 2018, 3:41 a.m.)
Review request for ranger, Ankita Sinha, Don Bosco Durai, Colm O hEigeartaigh, Gautam Borad, Madhan Neethiraj, pengjianhua, Ramesh Mani, Selvamohan Neethiraj, sam rome, and Velmurugan Periasamy.
Bugs: RANGER-1994
https://issues.apache.org/jira/browse/RANGER-1994
Repository: ranger
Description
-------
[SECURITY] CVE-2018-1305 Security constraint annotations applied too late
CVE-2018-1305 Security constraint annotations applied too late
Severity: High
Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.4 Apache Tomcat 8.5.0 to 8.5.27 Apache Tomcat 8.0.0.RC1 to 8.0.49 Apache Tomcat 7.0.0 to 7.0.84
Description: Security constraints defined by annotations of Servlets were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.
Mitigation: Users of the affected versions should apply one of the following mitigations. Upgrade to: - Apache Tomcat 9.0.5 or later - Apache Tomcat 8.5.28 or later - Apache Tomcat 8.0.50 or later - Apache Tomcat 7.0.85 or later
References:https://lists.apache.org/thread.html/d3354bb0a4eda4acc0a66f3eb24a213fdb75d12c7d16060b23e65781@%3Cannounce.tomcat.apache.org%3E
Diffs
-----
pom.xml d6f98b4
Diff: https://reviews.apache.org/r/65980/diff/1/
Testing (updated)
-------
1. Modify the ssl configuration item in install.properties for the Ranger Admin.
#SSL config
db_ssl_enabled=true
db_ssl_required=true
db_ssl_verifyServerCertificate=true
javax_net_ssl_keyStore=/opt/ranger-1.1.0-admin/ssl/keystore
javax_net_ssl_keyStorePassword=hdp1234$
javax_net_ssl_trustStore=/opt/ranger-1.1.0-admin/ssl/truststore
javax_net_ssl_trustStorePassword=hdp1234$
...
#
# ------- PolicyManager CONFIG ----------------
#
policymgr_external_url=https://localhost:6182
policymgr_http_enabled=false
policymgr_https_keystore_file=/opt/ranger-1.1.0-admin/ssl/rangertomcatverify.jks
policymgr_https_keystore_keyalias=rangertomcatverify
policymgr_https_keystore_password=hdp1234$
2. Install the Ranger Admin
3. Modify the ssl configuration item in install.properties for the usersync.
#
# POLICY_MGR_URL = http://policymanager.xasecure.net:6080
#
POLICY_MGR_URL = https://sslrangerserver:6182
# SSL Authentication
AUTH_SSL_ENABLED=false
AUTH_SSL_KEYSTORE_FILE=/opt/ranger-1.1.0-admin/ssl/keystore
AUTH_SSL_KEYSTORE_PASSWORD=hdp1234$
AUTH_SSL_TRUSTSTORE_FILE=/opt/ranger-1.1.0-admin/ssl/truststore
AUTH_SSL_TRUSTSTORE_PASSWORD=hdp1234$
3. Install the Ranger usersync
4. Modified the ssl configuration item in install.properties for the kms.
#
# POLICY_MGR_URL = http://policymanager.xasecure.net:6080
#
POLICY_MGR_URL = https://sslrangerserver:6182
db_ssl_enabled=true
db_ssl_required=true
db_ssl_verifyServerCertificate=true
db_ssl_auth_type=2-way
javax_net_ssl_keyStore=/opt/ranger-1.1.0-admin/ssl/keystore
javax_net_ssl_keyStorePassword=hdp1234$
javax_net_ssl_trustStore=/opt/ranger-1.1.0-admin/ssl/truststore
javax_net_ssl_trustStorePassword=hdp1234$
#
# SSL Client Certificate Information
#
SSL_KEYSTORE_FILE_PATH=/opt/ranger-1.1.0-admin/ssl/rangertomcatverify-keystore.jks
SSL_KEYSTORE_PASSWORD=myKeyFilePassword
SSL_TRUSTSTORE_FILE_PATH=/opt/ranger-1.1.0-admin/ssl/rangertomcatverify-truststore.jks
SSL_TRUSTSTORE_PASSWORD=changeit
5. Install the KMS
6. Modified the ssl configuration item in install.properties for plugins
#
# POLICY_MGR_URL = http://policymanager.xasecure.net:6080
#
POLICY_MGR_URL = https://sslrangerserver:6182
#
# SSL Client Certificate Information
#
SSL_KEYSTORE_FILE_PATH=/opt/ranger-1.1.0-admin/ssl/rangertomcatverify-keystore.jks
SSL_KEYSTORE_PASSWORD=myKeyFilePassword
SSL_TRUSTSTORE_FILE_PATH=/opt/ranger-1.1.0-admin/ssl/rangertomcatverify-truststore.jks
SSL_TRUSTSTORE_PASSWORD=changeit
7. Install plugins
Thanks,
Qiang Zhang