Anurag created RANGER-3785:
------------------------------
Summary: CVSS V3 > 10 vulnerability in Apache Ranger 2.2.0
Key: RANGER-3785
URL: https://issues.apache.org/jira/browse/RANGER-3785
Project: Ranger
Issue Type: Bug
Components: Ranger
Affects Versions: 2.2.0
Reporter: Anurag
Hi Team
We have found two CVSS V3 > 10 vulnerabilities in the latest Ranger Admin
release. Kindly help us patch this at the earliest, since these are critical
and may lead of unforeseen adversities.
Details of the vulnerability:
|Summary|CVE|Severity|Component|CVSS V3|Source Comp Id|Details|
|Apache Log4j2 2.0-beta9 through
2.15.0|CVE-2021-44228|Critical|org.apache.logging.log4j:log4j-core|10.0/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H|gav://org.apache.logging.log4j:log4j-core:2.13.3|Apache
Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3,
and 2.3.1) JNDI features used in configuration, log messages, and parameters do
not protect against attacker controlled LDAP and other JNDI related endpoints.
An attacker who can control log messages or log message parameters can execute
arbitrary code loaded from LDAP servers when message lookup substitution is
enabled. From log4j 2.15.0, this behavior has been disabled by default. From
version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has
been completely removed. Note that this vulnerability is specific to log4j-core
and does not affect log4net, log4cxx, or other Apache Logging Services
projects.|
|FasterXML
jackson-databind|CVE-2018-14721|Critical|com.fasterxml.jackson.core:jackson-databind|10.0/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H|gav://com.fasterxml.jackson.core:jackson-databind:2.4.0|FasterXML
jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct
server-side request forgery (SSRF) attacks by leveraging failure to block the
axis2-jaxws class from polymorphic deserialization.|
Thanks and Regards
Anurag
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
