----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/69340/#review210641 -----------------------------------------------------------
Ship it! Ship It! - pengjianhua On 十一月 15, 2018, 9:01 a.m., Qiang Zhang wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/69340/ > ----------------------------------------------------------- > > (Updated 十一月 15, 2018, 9:01 a.m.) > > > Review request for ranger, Ankita Sinha, Don Bosco Durai, Colm O > hEigeartaigh, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, > Nitin Galave, pengjianhua, Pradeep Agrawal, Ramesh Mani, Selvamohan > Neethiraj, Sailaja Polavarapu, sam rome, Venkat Ranganathan, and Velmurugan > Periasamy. > > > Bugs: RANGER-2244 > https://issues.apache.org/jira/browse/RANGER-2244 > > > Repository: ranger > > > Description > ------- > > [SECURITY] CVE-2018-11784 Apache Tomcat - Open Redirect > CVE-2018-11784 Apache Tomcat - Open Redirect > > Severity: Moderate > > Vendor: The Apache Software Foundation > > Versions Affected: > Apache Tomcat 9.0.0.M1 to 9.0.11 > Apache Tomcat 8.5.0 to 8.5.33 > Apache Tomcat 7.0.23 to 7.0.90 > The unsupported 8.0.x release line has not been analysed but is likely > to be affected. > > Description: > When the default servlet returned a redirect to a directory (e.g. > redirecting to '/foo/' when the user requested '/foo') a specially > crafted URL could be used to cause the redirect to be generated to any > URI of the attackers choice. > > Mitigation: > Users of the affected versions should apply one of the following > mitigations: > > Upgrade to Apache Tomcat 9.0.12 or later. > Upgrade to Apache Tomcat 8.5.34 or later. > Upgrade to Apache Tomcat 7.0.91 or later. > Use mapperDirectoryRedirectEnabled="true" and > mapperContextRootRedirectEnabled="true" on the Context to ensure that > redirects are issued by the Mapper rather than the default Servlet. > See the Context configuration documentation for further important > details. > Credit: > This vulnerability was found by Sergey Bobrov and reported responsibly > to the Apache Tomcat Security Team. > > History: > 2018-10-03 Original advisory > > References: > [1] http://tomcat.apache.org/security-9.html > [2] http://tomcat.apache.org/security-8.html > [3] http://tomcat.apache.org/security-7.html > > > Diffs > ----- > > > embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java > eac0dacaf > pom.xml 514f87e7f > > > Diff: https://reviews.apache.org/r/69340/diff/1/ > > > Testing > ------- > > 1.Modify the ssl configuration item in install.properties for the Ranger > Admin. > > **SSL config** > > db_ssl_enabled=true > db_ssl_required=true > db_ssl_verifyServerCertificate=true > javax_net_ssl_keyStore=/opt/ranger-ssl/keystore > javax_net_ssl_keyStorePassword=hdp1234$ > javax_net_ssl_trustStore=/opt/ranger-ssl/truststore > javax_net_ssl_trustStorePassword=hdp1234$ > ... > > > **------- PolicyManager CONFIG ----------------** > > > policymgr_external_url=https://localhost:6182 > policymgr_http_enabled=false > policymgr_https_keystore_file=/opt/ranger-ssl/rangertomcatverify.jks > policymgr_https_keystore_keyalias=rangertomcatverify > policymgr_https_keystore_password=hdp1234$ > > > 2.Install the Ranger Admin > > > 3.Modify the ssl configuration item in install.properties for the usersync. > > > **POLICY_MGR_URL = http://policymanager.xasecure.net:6080** > > > POLICY_MGR_URL = https://sslrangerserver:6182 > > > **SSL Authentication** > > AUTH_SSL_ENABLED=false > AUTH_SSL_KEYSTORE_FILE=/opt/ranger-ssl/keystore > AUTH_SSL_KEYSTORE_PASSWORD=hdp1234$ > AUTH_SSL_TRUSTSTORE_FILE=/opt/ranger-ssl/truststore > AUTH_SSL_TRUSTSTORE_PASSWORD=hdp1234$ > > > 4.Install the Ranger usersync > > > 5.Modified the ssl configuration item in install.properties for the kms. > > > **POLICY_MGR_URL = http://policymanager.xasecure.net:6080** > > > POLICY_MGR_URL = https://sslrangerserver:6182 > db_ssl_enabled=true > db_ssl_required=true > db_ssl_verifyServerCertificate=true > db_ssl_auth_type=2-way > javax_net_ssl_keyStore=/opt/ranger-ssl/keystore > javax_net_ssl_keyStorePassword=hdp1234$ > javax_net_ssl_trustStore=/opt/ranger-ssl/truststore > javax_net_ssl_trustStorePassword=hdp1234$ > > > **SSL Client Certificate Information** > > > SSL_KEYSTORE_FILE_PATH=/opt/ranger-ssl/rangertomcatverify-keystore.jks > SSL_KEYSTORE_PASSWORD=myKeyFilePassword > SSL_TRUSTSTORE_FILE_PATH=/opt/ranger-ssl/rangertomcatverify-truststore.jks > SSL_TRUSTSTORE_PASSWORD=myTrustFilePassword > > > 6.Install the KMS > > > 7.Modified the ssl configuration item in install.properties for plugins > > > **POLICY_MGR_URL = http://policymanager.xasecure.net:6080** > > > POLICY_MGR_URL = https://sslrangerserver:6182 > > > **SSL Client Certificate Information** > > > SSL_KEYSTORE_FILE_PATH=/opt/ranger-ssl/rangertomcatverify-keystore.jks > SSL_KEYSTORE_PASSWORD=myKeyFilePassword > SSL_TRUSTSTORE_FILE_PATH=/opt/ranger-ssl/rangertomcatverify-truststore.jks > SSL_TRUSTSTORE_PASSWORD=myTrustFilePassword > > > 8.Install plugins > > > Thanks, > > Qiang Zhang > >