----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/65980/#review199748 -----------------------------------------------------------
Ship it! Ship It! - Zsombor Gegesy On March 9, 2018, 3:41 a.m., Qiang Zhang wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/65980/ > ----------------------------------------------------------- > > (Updated March 9, 2018, 3:41 a.m.) > > > Review request for ranger, Ankita Sinha, Don Bosco Durai, Colm O > hEigeartaigh, Gautam Borad, Madhan Neethiraj, pengjianhua, Ramesh Mani, > Selvamohan Neethiraj, sam rome, and Velmurugan Periasamy. > > > Bugs: RANGER-1994 > https://issues.apache.org/jira/browse/RANGER-1994 > > > Repository: ranger > > > Description > ------- > > [SECURITY] CVE-2018-1305 Security constraint annotations applied too late > > CVE-2018-1305 Security constraint annotations applied too late > > Severity: High > > Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.4 Apache Tomcat 8.5.0 to > 8.5.27 Apache Tomcat 8.0.0.RC1 to 8.0.49 Apache Tomcat 7.0.0 to 7.0.84 > > Description: Security constraints defined by annotations of Servlets were > only applied once a Servlet had been loaded. Because security constraints > defined in this way apply to the URL pattern and any URLs below that point, > it was possible - depending on the order Servlets were loaded - for some > security constraints not to be applied. This could have exposed resources to > users who were not authorised to access them. > > Mitigation: Users of the affected versions should apply one of the following > mitigations. Upgrade to: - Apache Tomcat 9.0.5 or later - Apache Tomcat > 8.5.28 or later - Apache Tomcat 8.0.50 or later - Apache Tomcat 7.0.85 or > later > > References:https://lists.apache.org/thread.html/d3354bb0a4eda4acc0a66f3eb24a213fdb75d12c7d16060b23e65781@%3Cannounce.tomcat.apache.org%3E > > > Diffs > ----- > > pom.xml d6f98b4 > > > Diff: https://reviews.apache.org/r/65980/diff/1/ > > > Testing > ------- > > 1. Modify the ssl configuration item in install.properties for the Ranger > Admin. > #SSL config > db_ssl_enabled=true > db_ssl_required=true > db_ssl_verifyServerCertificate=true > javax_net_ssl_keyStore=/opt/ranger-1.1.0-admin/ssl/keystore > javax_net_ssl_keyStorePassword=hdp1234$ > javax_net_ssl_trustStore=/opt/ranger-1.1.0-admin/ssl/truststore > javax_net_ssl_trustStorePassword=hdp1234$ > ... > # > # ------- PolicyManager CONFIG ---------------- > # > policymgr_external_url=https://localhost:6182 > policymgr_http_enabled=false > policymgr_https_keystore_file=/opt/ranger-1.1.0-admin/ssl/rangertomcatverify.jks > policymgr_https_keystore_keyalias=rangertomcatverify > policymgr_https_keystore_password=hdp1234$ > 2. Install the Ranger Admin > > 3. Modify the ssl configuration item in install.properties for the usersync. > # > # POLICY_MGR_URL = http://policymanager.xasecure.net:6080 > # > POLICY_MGR_URL = https://sslrangerserver:6182 > # SSL Authentication > AUTH_SSL_ENABLED=false > AUTH_SSL_KEYSTORE_FILE=/opt/ranger-1.1.0-admin/ssl/keystore > AUTH_SSL_KEYSTORE_PASSWORD=hdp1234$ > AUTH_SSL_TRUSTSTORE_FILE=/opt/ranger-1.1.0-admin/ssl/truststore > AUTH_SSL_TRUSTSTORE_PASSWORD=hdp1234$ > 3. Install the Ranger usersync > > 4. Modified the ssl configuration item in install.properties for the kms. > # > # POLICY_MGR_URL = http://policymanager.xasecure.net:6080 > # > POLICY_MGR_URL = https://sslrangerserver:6182 > db_ssl_enabled=true > db_ssl_required=true > db_ssl_verifyServerCertificate=true > db_ssl_auth_type=2-way > javax_net_ssl_keyStore=/opt/ranger-1.1.0-admin/ssl/keystore > javax_net_ssl_keyStorePassword=hdp1234$ > javax_net_ssl_trustStore=/opt/ranger-1.1.0-admin/ssl/truststore > javax_net_ssl_trustStorePassword=hdp1234$ > # > # SSL Client Certificate Information > # > SSL_KEYSTORE_FILE_PATH=/opt/ranger-1.1.0-admin/ssl/rangertomcatverify-keystore.jks > SSL_KEYSTORE_PASSWORD=myKeyFilePassword > SSL_TRUSTSTORE_FILE_PATH=/opt/ranger-1.1.0-admin/ssl/rangertomcatverify-truststore.jks > SSL_TRUSTSTORE_PASSWORD=changeit > 5. Install the KMS > > 6. Modified the ssl configuration item in install.properties for plugins > # > # POLICY_MGR_URL = http://policymanager.xasecure.net:6080 > # > POLICY_MGR_URL = https://sslrangerserver:6182 > # > # SSL Client Certificate Information > # > SSL_KEYSTORE_FILE_PATH=/opt/ranger-1.1.0-admin/ssl/rangertomcatverify-keystore.jks > SSL_KEYSTORE_PASSWORD=myKeyFilePassword > SSL_TRUSTSTORE_FILE_PATH=/opt/ranger-1.1.0-admin/ssl/rangertomcatverify-truststore.jks > SSL_TRUSTSTORE_PASSWORD=changeit > 7. Install plugins > > > Thanks, > > Qiang Zhang > >
