[ 
https://issues.apache.org/jira/browse/RANGER-2244?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Qiang Zhang updated RANGER-2244:
--------------------------------
    Attachment: 0001-RANGER-2244-Tomcat-Security-Vulnerability-Alert.-The.patch

> Tomcat Security Vulnerability Alert. The version of the tomcat for ranger 
> should upgrade to 7.0.91 or later.
> ------------------------------------------------------------------------------------------------------------
>
>                 Key: RANGER-2244
>                 URL: https://issues.apache.org/jira/browse/RANGER-2244
>             Project: Ranger
>          Issue Type: Bug
>          Components: admin
>    Affects Versions: master
>            Reporter: Qiang Zhang
>            Assignee: Qiang Zhang
>            Priority: Major
>              Labels: patch
>             Fix For: 2.0.0
>
>         Attachments: 
> 0001-RANGER-2244-Tomcat-Security-Vulnerability-Alert.-The.patch
>
>
> h2. [SECURITY] CVE-2018-11784 Apache Tomcat - Open Redirect
> CVE-2018-11784 Apache Tomcat - Open Redirect
> Severity: Moderate
> Vendor: The Apache Software Foundation
> Versions Affected:
> Apache Tomcat 9.0.0.M1 to 9.0.11
> Apache Tomcat 8.5.0 to 8.5.33
> Apache Tomcat 7.0.23 to 7.0.90
> The unsupported 8.0.x release line has not been analysed but is likely
> to be affected.
> Description:
> When the default servlet returned a redirect to a directory (e.g.
> redirecting to '/foo/' when the user requested '/foo') a specially
> crafted URL could be used to cause the redirect to be generated to any
> URI of the attackers choice.
> Mitigation:
> Users of the affected versions should apply one of the following
> mitigations:
> * Upgrade to Apache Tomcat 9.0.12 or later.
> * Upgrade to Apache Tomcat 8.5.34 or later.
> * Upgrade to Apache Tomcat 7.0.91 or later.
> * Use mapperDirectoryRedirectEnabled="true" and
>   mapperContextRootRedirectEnabled="true" on the Context to ensure that
>   redirects are issued by the Mapper rather than the default Servlet.
>   See the Context configuration documentation for further important
>   details.
> Credit:
> This vulnerability was found by Sergey Bobrov and reported responsibly
> to the Apache Tomcat Security Team.
> History:
> 2018-10-03 Original advisory
> References:
> [1] http://tomcat.apache.org/security-9.html
> [2] http://tomcat.apache.org/security-8.html
> [3] http://tomcat.apache.org/security-7.html



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to