[
https://issues.apache.org/jira/browse/RANGER-3785?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Anurag updated RANGER-3785:
---------------------------
Description:
Hi Team
We have found two CVSS V3 >= 10 vulnerabilities in the latest Ranger Admin
release. Kindly help us patch this at the earliest, since these are critical
and may lead to unforeseen adversities.
Details of the vulnerability:
|Summary|CVE|Severity|Component|CVSS V3|Source Comp Id|Details|
|Apache Log4j2 2.0-beta9 through
2.15.0|CVE-2021-44228|Critical|org.apache.logging.log4j:log4j-core|10.0/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H|gav://org.apache.logging.log4j:log4j-core:2.13.3|Apache
Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3,
and 2.3.1) JNDI features used in configuration, log messages, and parameters do
not protect against attacker controlled LDAP and other JNDI related endpoints.
An attacker who can control log messages or log message parameters can execute
arbitrary code loaded from LDAP servers when message lookup substitution is
enabled. From log4j 2.15.0, this behavior has been disabled by default. From
version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has
been completely removed. Note that this vulnerability is specific to log4j-core
and does not affect log4net, log4cxx, or other Apache Logging Services
projects.|
|FasterXML
jackson-databind|CVE-2018-14721|Critical|com.fasterxml.jackson.core:jackson-databind|10.0/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H|gav://com.fasterxml.jackson.core:jackson-databind:2.4.0|FasterXML
jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct
server-side request forgery (SSRF) attacks by leveraging failure to block the
axis2-jaxws class from polymorphic deserialization.|
Thanks and Regards
Anurag
was:
Hi Team
We have found two CVSS V3 >= 10 vulnerabilities in the latest Ranger Admin
release. Kindly help us patch this at the earliest, since these are critical
and may lead of unforeseen adversities.
Details of the vulnerability:
|Summary|CVE|Severity|Component|CVSS V3|Source Comp Id|Details|
|Apache Log4j2 2.0-beta9 through
2.15.0|CVE-2021-44228|Critical|org.apache.logging.log4j:log4j-core|10.0/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H|gav://org.apache.logging.log4j:log4j-core:2.13.3|Apache
Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3,
and 2.3.1) JNDI features used in configuration, log messages, and parameters do
not protect against attacker controlled LDAP and other JNDI related endpoints.
An attacker who can control log messages or log message parameters can execute
arbitrary code loaded from LDAP servers when message lookup substitution is
enabled. From log4j 2.15.0, this behavior has been disabled by default. From
version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has
been completely removed. Note that this vulnerability is specific to log4j-core
and does not affect log4net, log4cxx, or other Apache Logging Services
projects.|
|FasterXML
jackson-databind|CVE-2018-14721|Critical|com.fasterxml.jackson.core:jackson-databind|10.0/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H|gav://com.fasterxml.jackson.core:jackson-databind:2.4.0|FasterXML
jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct
server-side request forgery (SSRF) attacks by leveraging failure to block the
axis2-jaxws class from polymorphic deserialization.|
Thanks and Regards
Anurag
> CVSS-V3 >= 10 vulnerability in Apache Ranger 2.2.0
> --------------------------------------------------
>
> Key: RANGER-3785
> URL: https://issues.apache.org/jira/browse/RANGER-3785
> Project: Ranger
> Issue Type: Bug
> Components: Ranger
> Affects Versions: 2.2.0
> Reporter: Anurag
> Priority: Critical
>
> Hi Team
>
> We have found two CVSS V3 >= 10 vulnerabilities in the latest Ranger Admin
> release. Kindly help us patch this at the earliest, since these are critical
> and may lead to unforeseen adversities.
>
> Details of the vulnerability:
>
>
> |Summary|CVE|Severity|Component|CVSS V3|Source Comp Id|Details|
> |Apache Log4j2 2.0-beta9 through
> 2.15.0|CVE-2021-44228|Critical|org.apache.logging.log4j:log4j-core|10.0/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H|gav://org.apache.logging.log4j:log4j-core:2.13.3|Apache
> Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3,
> and 2.3.1) JNDI features used in configuration, log messages, and parameters
> do not protect against attacker controlled LDAP and other JNDI related
> endpoints. An attacker who can control log messages or log message parameters
> can execute arbitrary code loaded from LDAP servers when message lookup
> substitution is enabled. From log4j 2.15.0, this behavior has been disabled
> by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this
> functionality has been completely removed. Note that this vulnerability is
> specific to log4j-core and does not affect log4net, log4cxx, or other Apache
> Logging Services projects.|
> |FasterXML
> jackson-databind|CVE-2018-14721|Critical|com.fasterxml.jackson.core:jackson-databind|10.0/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H|gav://com.fasterxml.jackson.core:jackson-databind:2.4.0|FasterXML
> jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct
> server-side request forgery (SSRF) attacks by leveraging failure to block the
> axis2-jaxws class from polymorphic deserialization.|
>
> Thanks and Regards
> Anurag
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
