[jira] [Reopened] (RANGER-5477) XML External Entity Injection Security issue in Ranger

Mon, 09 Feb 2026 04:02:32 -0800 


     [ 
https://issues.apache.org/jira/browse/RANGER-5477?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Bhavesh Amre reopened RANGER-5477:
----------------------------------

 
{{+ Sun Feb  8 06:38:32 PM UTC 2026 : Saving current config file: 
/opt/hadoop/etc/hadoop/hdfs-site.xml to 
/opt/hadoop/etc/hadoop/.hdfs-site.xml.20260208-183832 ...}}
{{*************************************************************************}}
{{******* ERROR: unable to process xml configuration changes due to 
error:Cannot set the feature 
'http://xml.org/sax/features/external-general-entities' on this 
TransformerFactory.}}
{{javax.xml.transform.TransformerConfigurationException: Cannot set the feature 
'http://xml.org/sax/features/external-general-entities' on this 
TransformerFactory.}}
{{  at 
com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl.setFeature(TransformerFactoryImpl.java:549)}}
{{  at 
org.apache.ranger.utils.install.XmlConfigChanger.run(XmlConfigChanger.java:286)}}
{{  at 
org.apache.ranger.utils.install.XmlConfigChanger.main(XmlConfigChanger.java:77)}}
{{*************************************************************************}}
{{ERROR: Unable to make changes to config. file: 
/opt/hadoop/etc/hadoop/hdfs-site.xml}}
{{exiting ....}}
{{Custom user and group is available, using custom user and group.}}
{{+ Sun Feb  8 06:38:32 PM UTC 2026 : yarn: lib 
folder=/opt/hadoop/share/hadoop/hdfs/lib conf folder=/opt/hadoop/etc/hadoop}}
{{+ Sun Feb  8 06:38:32 PM UTC 2026 : Saving 
/opt/hadoop/etc/hadoop/ranger-policymgr-ssl.xml to 
/opt/hadoop/etc/hadoop/.ranger-policymgr-ssl.xml.20260208-183832 ...}}
{{+ Sun Feb  8 06:38:32 PM UTC 2026 : Saving current config file: 
/opt/hadoop/etc/hadoop/ranger-policymgr-ssl.xml to 
/opt/hadoop/etc/hadoop/.ranger-policymgr-ssl.xml.20260208-183832 ...}}
{{*************************************************************************}}
{{******* ERROR: unable to process xml configuration changes due to 
error:Cannot set the feature 
'http://xml.org/sax/features/external-general-entities' on this 
TransformerFactory.}}
{{javax.xml.transform.TransformerConfigurationException: Cannot set the feature 
'http://xml.org/sax/features/external-general-entities' on this 
TransformerFactory.}}
{{      at 
com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl.setFeature(TransformerFactoryImpl.java:549)}}
{{      at 
org.apache.ranger.utils.install.XmlConfigChanger.run(XmlConfigChanger.java:286)}}
{{      at 
org.apache.ranger.utils.install.XmlConfigChanger.main(XmlConfigChanger.java:77)}}
{{*************************************************************************}}
{{ERROR: Unable to make changes to config. file: 
/opt/hadoop/etc/hadoop/ranger-policymgr-ssl.xml}}
{{exiting ....}}
{{Ranger Hadoop Setup Script didn't complete proper execution.}}

{{Reopen Due to above errors.}}

> XML External Entity Injection Security issue in Ranger
> ------------------------------------------------------
>
>                 Key: RANGER-5477
>                 URL: https://issues.apache.org/jira/browse/RANGER-5477
>             Project: Ranger
>          Issue Type: Bug
>          Components: Ranger
>            Reporter: Dhaval Shah
>            Assignee: Bhavesh Amre
>            Priority: Major
>             Fix For: 3.0.0
>
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> Scan has identified XXE as a critical finding. 
> {code:java}
> factory.setFeature("http://xml.org/sax/features/external-general-entities";, 
> false); 
> factory.setFeature("http://xml.org/sax/features/external-parameter-entities";, 
> false); 
> factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, 
> true);{code}
>  
> {code:java}
> TransformerFactory tfactory = TransformerFactory.newInstance();
>             tfactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, 
> Boolean.TRUE);
>             Transformer transformer = tfactory.newTransformer();
>             transformer.setOutputProperty(OutputKeys.INDENT, "yes");
>             
> transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount";, 
> "4");
>             
>             DOMSource source = new DOMSource(doc);
>             FileOutputStream out = new FileOutputStream(outFile);
>             StreamResult result = new StreamResult(out);
>             transformer.transform(source, result);
>             out.close(); {code}
> file: 
> h4. 
> /agents-installer/src/main/java/org/apache/ranger/utils/install/XmlConfigChanger.java
>  line number.
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to