[ https://issues.apache.org/jira/browse/RANGER-5094?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Basapuram Kumar resolved RANGER-5094. ------------------------------------- Resolution: Duplicate https://issues.apache.org/jira/browse/RANGER-4892 > Bump tomcat to 8.9.96 > --------------------- > > Key: RANGER-5094 > URL: https://issues.apache.org/jira/browse/RANGER-5094 > Project: Ranger > Issue Type: Improvement > Components: Ranger > Affects Versions: 2.5.0 > Reporter: Basapuram Kumar > Assignee: Basapuram Kumar > Priority: Major > Time Spent: 0.5h > Remaining Estimate: 0h > > Bump tomcat to 8.9.96 to fix CVE-2023-46589 > CVE-2023-46589 Description > ``` > Improper Input Validation vulnerability in Apache Tomcat.Tomcat from > 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 > through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP > trailer headers. A trailer header that exceeded the header size limit could > cause Tomcat to treat a single request as multiple requests leading to the > possibility of request smuggling when behind a reverse proxy. Users are > recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 > onwards or 8.5.96 onwards, which fix the issue. > ``` > > As per this tomcat *8.5.96* onwards has the {*}fix{*}, and currently ranger > uses *8.5.94.* > > Suggesting to bump the tomcat to 8.5.96. -- This message was sent by Atlassian Jira (v8.20.10#820010)