[jira] [Updated] (RANGER-4420) Fixing the "Slow HTTP Denial of Service (DoS) Attack" vulnerability for Ranger Admin.

Tue, 19 Sep 2023 21:50:04 -0700 


     [ 
https://issues.apache.org/jira/browse/RANGER-4420?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

shanyingying updated RANGER-4420:
---------------------------------
    Description: 
For Ranger Admin, we detected the vulnerability "Slow HTTP Denial of Service 
(DoS) Attack".

This is because the embedded tomcat code is not set in the connectionTimeout 
parameters, we can increase the configurable parameters "ranger. Service. HTTP. 
Connector. Attrib. ConnectionTimeout" to repair it.
{code:java}
server.getConnector().setAttribute("connectionTimeout",EmbeddedServerUtil.getLongConfig("ranger.service.http.connector.attrib.connectionTimeout",
 10000L)); {code}
At the same time, we can modify the value in the 
"ranger-admin/ews/webapp/WEB-INF/classes/conf/ranger-admin-site.xml" 
configuration file, which is set to 10000ms by default.
{code:java}
    <property>
      <name>ranger.service.http.connector.attrib.connectionTimeout</name>
      <value>5000</value>
    </property>{code}

  was:
For Ranger Admin, we detected the vulnerability "Slow HTTP Denial of Service 
(DoS) Attack".

This is because the embedded tomcat code is not set in the connectionTimeout 
parameters, we can increase the configurable parameters "ranger. Service. HTTP. 
Connector. Attrib. ConnectionTimeout" to repair it.

 
{code:java}
server.getConnector().setAttribute("connectionTimeout",EmbeddedServerUtil.getLongConfig("ranger.service.http.connector.attrib.connectionTimeout",
 10000L)); {code}
 

At the same time, we can modify the value in the "ranger-admin-site.xml" 
configuration file, which is set to 10000ms by default.


> Fixing the "Slow HTTP Denial of Service (DoS) Attack" vulnerability for 
> Ranger Admin.
> -------------------------------------------------------------------------------------
>
>                 Key: RANGER-4420
>                 URL: https://issues.apache.org/jira/browse/RANGER-4420
>             Project: Ranger
>          Issue Type: Improvement
>          Components: admin, Ranger
>            Reporter: shanyingying
>            Priority: Major
>
> For Ranger Admin, we detected the vulnerability "Slow HTTP Denial of Service 
> (DoS) Attack".
> This is because the embedded tomcat code is not set in the connectionTimeout 
> parameters, we can increase the configurable parameters "ranger. Service. 
> HTTP. Connector. Attrib. ConnectionTimeout" to repair it.
> {code:java}
> server.getConnector().setAttribute("connectionTimeout",EmbeddedServerUtil.getLongConfig("ranger.service.http.connector.attrib.connectionTimeout",
>  10000L)); {code}
> At the same time, we can modify the value in the 
> "ranger-admin/ews/webapp/WEB-INF/classes/conf/ranger-admin-site.xml" 
> configuration file, which is set to 10000ms by default.
> {code:java}
>     <property>
>       <name>ranger.service.http.connector.attrib.connectionTimeout</name>
>       <value>5000</value>
>     </property>{code}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to