Re: Review Request 69340: RANGER-2244 Tomcat Security Vulnerability Alert. The version of the tomcat for ranger should upgrade to 7.0.91 or later.
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/69340/#review210829 --- Ship it! Ship It! - Mehul Parikh On Nov. 15, 2018, 9:01 a.m., Qiang Zhang wrote: > > --- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/69340/ > --- > > (Updated Nov. 15, 2018, 9:01 a.m.) > > > Review request for ranger, Ankita Sinha, Don Bosco Durai, Colm O > hEigeartaigh, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, > Nitin Galave, pengjianhua, Pradeep Agrawal, Ramesh Mani, Selvamohan > Neethiraj, Sailaja Polavarapu, sam rome, Venkat Ranganathan, and Velmurugan > Periasamy. > > > Bugs: RANGER-2244 > https://issues.apache.org/jira/browse/RANGER-2244 > > > Repository: ranger > > > Description > --- > > [SECURITY] CVE-2018-11784 Apache Tomcat - Open Redirect > CVE-2018-11784 Apache Tomcat - Open Redirect > > Severity: Moderate > > Vendor: The Apache Software Foundation > > Versions Affected: > Apache Tomcat 9.0.0.M1 to 9.0.11 > Apache Tomcat 8.5.0 to 8.5.33 > Apache Tomcat 7.0.23 to 7.0.90 > The unsupported 8.0.x release line has not been analysed but is likely > to be affected. > > Description: > When the default servlet returned a redirect to a directory (e.g. > redirecting to '/foo/' when the user requested '/foo') a specially > crafted URL could be used to cause the redirect to be generated to any > URI of the attackers choice. > > Mitigation: > Users of the affected versions should apply one of the following > mitigations: > > Upgrade to Apache Tomcat 9.0.12 or later. > Upgrade to Apache Tomcat 8.5.34 or later. > Upgrade to Apache Tomcat 7.0.91 or later. > Use mapperDirectoryRedirectEnabled="true" and > mapperContextRootRedirectEnabled="true" on the Context to ensure that > redirects are issued by the Mapper rather than the default Servlet. > See the Context configuration documentation for further important > details. > Credit: > This vulnerability was found by Sergey Bobrov and reported responsibly > to the Apache Tomcat Security Team. > > History: > 2018-10-03 Original advisory > > References: > [1] http://tomcat.apache.org/security-9.html > [2] http://tomcat.apache.org/security-8.html > [3] http://tomcat.apache.org/security-7.html > > > Diffs > - > > > embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java > eac0dacaf > pom.xml 514f87e7f > > > Diff: https://reviews.apache.org/r/69340/diff/1/ > > > Testing > --- > > 1.Modify the ssl configuration item in install.properties for the Ranger > Admin. > > **SSL config** > > db_ssl_enabled=true > db_ssl_required=true > db_ssl_verifyServerCertificate=true > javax_net_ssl_keyStore=/opt/ranger-ssl/keystore > javax_net_ssl_keyStorePassword=hdp1234$ > javax_net_ssl_trustStore=/opt/ranger-ssl/truststore > javax_net_ssl_trustStorePassword=hdp1234$ > ... > > > **--- PolicyManager CONFIG ** > > > policymgr_external_url=https://localhost:6182 > policymgr_http_enabled=false > policymgr_https_keystore_file=/opt/ranger-ssl/rangertomcatverify.jks > policymgr_https_keystore_keyalias=rangertomcatverify > policymgr_https_keystore_password=hdp1234$ > > > 2.Install the Ranger Admin > > > 3.Modify the ssl configuration item in install.properties for the usersync. > > > **POLICY_MGR_URL = http://policymanager.xasecure.net:6080** > > > POLICY_MGR_URL = https://sslrangerserver:6182 > > > **SSL Authentication** > > AUTH_SSL_ENABLED=false > AUTH_SSL_KEYSTORE_FILE=/opt/ranger-ssl/keystore > AUTH_SSL_KEYSTORE_PASSWORD=hdp1234$ > AUTH_SSL_TRUSTSTORE_FILE=/opt/ranger-ssl/truststore > AUTH_SSL_TRUSTSTORE_PASSWORD=hdp1234$ > > > 4.Install the Ranger usersync > > > 5.Modified the ssl configuration item in install.properties for the kms. > > > **POLICY_MGR_URL = http://policymanager.xasecure.net:6080** > > > POLICY_MGR_URL = https://sslrangerserver:6182 > db_ssl_enabled=true > db_ssl_required=true > db_ssl_verifyServerCertificate=true > db_ssl_auth_type=2-way > javax_net_ssl_keyStore=/opt/ranger-ssl/keystore > javax_net_ssl_keyStorePassword=hdp1234$ > javax_net_ssl_trustStore=/opt/ranger-ssl/truststore > javax_net_ssl_trustStorePassword=hdp1234$ > > > **SSL Client Certificate Information** > > > SSL_KEYSTORE_FILE_PATH=/opt/ranger-ssl/rangertomcatverify-keystore.jks > SSL_KEYSTORE_PASSWORD=myKeyFilePassword > SSL_TRUSTSTORE_FILE_PATH=/opt/ranger-ssl/rangertomcatverify-truststore.jks > SSL_TRUSTSTORE_PASSWORD=myTrustFilePassword > > > 6.Install the KMS > > > 7.Modified the ssl configuration item in install.properties for plugins > > > **POLICY_MGR_URL = http://policymanager.xasecure.net:6080** > > > POLICY_MGR_URL =
Re: Review Request 69340: RANGER-2244 Tomcat Security Vulnerability Alert. The version of the tomcat for ranger should upgrade to 7.0.91 or later.
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/69340/#review210641 --- Ship it! Ship It! - pengjianhua On 十一月 15, 2018, 9:01 a.m., Qiang Zhang wrote: > > --- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/69340/ > --- > > (Updated 十一月 15, 2018, 9:01 a.m.) > > > Review request for ranger, Ankita Sinha, Don Bosco Durai, Colm O > hEigeartaigh, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, > Nitin Galave, pengjianhua, Pradeep Agrawal, Ramesh Mani, Selvamohan > Neethiraj, Sailaja Polavarapu, sam rome, Venkat Ranganathan, and Velmurugan > Periasamy. > > > Bugs: RANGER-2244 > https://issues.apache.org/jira/browse/RANGER-2244 > > > Repository: ranger > > > Description > --- > > [SECURITY] CVE-2018-11784 Apache Tomcat - Open Redirect > CVE-2018-11784 Apache Tomcat - Open Redirect > > Severity: Moderate > > Vendor: The Apache Software Foundation > > Versions Affected: > Apache Tomcat 9.0.0.M1 to 9.0.11 > Apache Tomcat 8.5.0 to 8.5.33 > Apache Tomcat 7.0.23 to 7.0.90 > The unsupported 8.0.x release line has not been analysed but is likely > to be affected. > > Description: > When the default servlet returned a redirect to a directory (e.g. > redirecting to '/foo/' when the user requested '/foo') a specially > crafted URL could be used to cause the redirect to be generated to any > URI of the attackers choice. > > Mitigation: > Users of the affected versions should apply one of the following > mitigations: > > Upgrade to Apache Tomcat 9.0.12 or later. > Upgrade to Apache Tomcat 8.5.34 or later. > Upgrade to Apache Tomcat 7.0.91 or later. > Use mapperDirectoryRedirectEnabled="true" and > mapperContextRootRedirectEnabled="true" on the Context to ensure that > redirects are issued by the Mapper rather than the default Servlet. > See the Context configuration documentation for further important > details. > Credit: > This vulnerability was found by Sergey Bobrov and reported responsibly > to the Apache Tomcat Security Team. > > History: > 2018-10-03 Original advisory > > References: > [1] http://tomcat.apache.org/security-9.html > [2] http://tomcat.apache.org/security-8.html > [3] http://tomcat.apache.org/security-7.html > > > Diffs > - > > > embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java > eac0dacaf > pom.xml 514f87e7f > > > Diff: https://reviews.apache.org/r/69340/diff/1/ > > > Testing > --- > > 1.Modify the ssl configuration item in install.properties for the Ranger > Admin. > > **SSL config** > > db_ssl_enabled=true > db_ssl_required=true > db_ssl_verifyServerCertificate=true > javax_net_ssl_keyStore=/opt/ranger-ssl/keystore > javax_net_ssl_keyStorePassword=hdp1234$ > javax_net_ssl_trustStore=/opt/ranger-ssl/truststore > javax_net_ssl_trustStorePassword=hdp1234$ > ... > > > **--- PolicyManager CONFIG ** > > > policymgr_external_url=https://localhost:6182 > policymgr_http_enabled=false > policymgr_https_keystore_file=/opt/ranger-ssl/rangertomcatverify.jks > policymgr_https_keystore_keyalias=rangertomcatverify > policymgr_https_keystore_password=hdp1234$ > > > 2.Install the Ranger Admin > > > 3.Modify the ssl configuration item in install.properties for the usersync. > > > **POLICY_MGR_URL = http://policymanager.xasecure.net:6080** > > > POLICY_MGR_URL = https://sslrangerserver:6182 > > > **SSL Authentication** > > AUTH_SSL_ENABLED=false > AUTH_SSL_KEYSTORE_FILE=/opt/ranger-ssl/keystore > AUTH_SSL_KEYSTORE_PASSWORD=hdp1234$ > AUTH_SSL_TRUSTSTORE_FILE=/opt/ranger-ssl/truststore > AUTH_SSL_TRUSTSTORE_PASSWORD=hdp1234$ > > > 4.Install the Ranger usersync > > > 5.Modified the ssl configuration item in install.properties for the kms. > > > **POLICY_MGR_URL = http://policymanager.xasecure.net:6080** > > > POLICY_MGR_URL = https://sslrangerserver:6182 > db_ssl_enabled=true > db_ssl_required=true > db_ssl_verifyServerCertificate=true > db_ssl_auth_type=2-way > javax_net_ssl_keyStore=/opt/ranger-ssl/keystore > javax_net_ssl_keyStorePassword=hdp1234$ > javax_net_ssl_trustStore=/opt/ranger-ssl/truststore > javax_net_ssl_trustStorePassword=hdp1234$ > > > **SSL Client Certificate Information** > > > SSL_KEYSTORE_FILE_PATH=/opt/ranger-ssl/rangertomcatverify-keystore.jks > SSL_KEYSTORE_PASSWORD=myKeyFilePassword > SSL_TRUSTSTORE_FILE_PATH=/opt/ranger-ssl/rangertomcatverify-truststore.jks > SSL_TRUSTSTORE_PASSWORD=myTrustFilePassword > > > 6.Install the KMS > > > 7.Modified the ssl configuration item in install.properties for plugins > > > **POLICY_MGR_URL = http://policymanager.xasecure.net:6080** > > > POLICY_MGR_URL = https://sslrangerserver:6182 >
Review Request 69340: RANGER-2244 Tomcat Security Vulnerability Alert. The version of the tomcat for ranger should upgrade to 7.0.91 or later.
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/69340/ --- Review request for ranger, Ankita Sinha, Don Bosco Durai, Colm O hEigeartaigh, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Nitin Galave, pengjianhua, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, sam rome, Venkat Ranganathan, and Velmurugan Periasamy. Bugs: RANGER-2244 https://issues.apache.org/jira/browse/RANGER-2244 Repository: ranger Description --- [SECURITY] CVE-2018-11784 Apache Tomcat - Open Redirect CVE-2018-11784 Apache Tomcat - Open Redirect Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.11 Apache Tomcat 8.5.0 to 8.5.33 Apache Tomcat 7.0.23 to 7.0.90 The unsupported 8.0.x release line has not been analysed but is likely to be affected. Description: When the default servlet returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice. Mitigation: Users of the affected versions should apply one of the following mitigations: Upgrade to Apache Tomcat 9.0.12 or later. Upgrade to Apache Tomcat 8.5.34 or later. Upgrade to Apache Tomcat 7.0.91 or later. Use mapperDirectoryRedirectEnabled="true" and mapperContextRootRedirectEnabled="true" on the Context to ensure that redirects are issued by the Mapper rather than the default Servlet. See the Context configuration documentation for further important details. Credit: This vulnerability was found by Sergey Bobrov and reported responsibly to the Apache Tomcat Security Team. History: 2018-10-03 Original advisory References: [1] http://tomcat.apache.org/security-9.html [2] http://tomcat.apache.org/security-8.html [3] http://tomcat.apache.org/security-7.html Diffs - embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java eac0dacaf pom.xml 514f87e7f Diff: https://reviews.apache.org/r/69340/diff/1/ Testing --- 1.Modify the ssl configuration item in install.properties for the Ranger Admin. **SSL config** db_ssl_enabled=true db_ssl_required=true db_ssl_verifyServerCertificate=true javax_net_ssl_keyStore=/opt/ranger-ssl/keystore javax_net_ssl_keyStorePassword=hdp1234$ javax_net_ssl_trustStore=/opt/ranger-ssl/truststore javax_net_ssl_trustStorePassword=hdp1234$ ... **--- PolicyManager CONFIG ** policymgr_external_url=https://localhost:6182 policymgr_http_enabled=false policymgr_https_keystore_file=/opt/ranger-ssl/rangertomcatverify.jks policymgr_https_keystore_keyalias=rangertomcatverify policymgr_https_keystore_password=hdp1234$ 2.Install the Ranger Admin 3.Modify the ssl configuration item in install.properties for the usersync. **POLICY_MGR_URL = http://policymanager.xasecure.net:6080** POLICY_MGR_URL = https://sslrangerserver:6182 **SSL Authentication** AUTH_SSL_ENABLED=false AUTH_SSL_KEYSTORE_FILE=/opt/ranger-ssl/keystore AUTH_SSL_KEYSTORE_PASSWORD=hdp1234$ AUTH_SSL_TRUSTSTORE_FILE=/opt/ranger-ssl/truststore AUTH_SSL_TRUSTSTORE_PASSWORD=hdp1234$ 4.Install the Ranger usersync 5.Modified the ssl configuration item in install.properties for the kms. **POLICY_MGR_URL = http://policymanager.xasecure.net:6080** POLICY_MGR_URL = https://sslrangerserver:6182 db_ssl_enabled=true db_ssl_required=true db_ssl_verifyServerCertificate=true db_ssl_auth_type=2-way javax_net_ssl_keyStore=/opt/ranger-ssl/keystore javax_net_ssl_keyStorePassword=hdp1234$ javax_net_ssl_trustStore=/opt/ranger-ssl/truststore javax_net_ssl_trustStorePassword=hdp1234$ **SSL Client Certificate Information** SSL_KEYSTORE_FILE_PATH=/opt/ranger-ssl/rangertomcatverify-keystore.jks SSL_KEYSTORE_PASSWORD=myKeyFilePassword SSL_TRUSTSTORE_FILE_PATH=/opt/ranger-ssl/rangertomcatverify-truststore.jks SSL_TRUSTSTORE_PASSWORD=myTrustFilePassword 6.Install the KMS 7.Modified the ssl configuration item in install.properties for plugins **POLICY_MGR_URL = http://policymanager.xasecure.net:6080** POLICY_MGR_URL = https://sslrangerserver:6182 **SSL Client Certificate Information** SSL_KEYSTORE_FILE_PATH=/opt/ranger-ssl/rangertomcatverify-keystore.jks SSL_KEYSTORE_PASSWORD=myKeyFilePassword SSL_TRUSTSTORE_FILE_PATH=/opt/ranger-ssl/rangertomcatverify-truststore.jks SSL_TRUSTSTORE_PASSWORD=myTrustFilePassword 8.Install plugins Thanks, Qiang Zhang