[jira] [Commented] (RANGER-4038) Upgrade spring framework and spring security versions

[Bhavik Patel (Jira)]

    [ 
https://issues.apache.org/jira/browse/RANGER-4038?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17915775#comment-17915775
 ] 

Bhavik Patel commented on RANGER-4038:
--------------------------------------

 
{code:java}
21 Jan 2025 16:59:01 DEBUG o.a.r.u.p.PolicyMgrUserGroupBuilder 
[UnixUserSyncThread] - <== PolicyMgrUserGroupBuilder.tryUploadEntityWithCookie()
21 Jan 2025 16:59:01 DEBUG o.a.r.u.p.PolicyMgrUserGroupBuilder 
[UnixUserSyncThread] - <== PolicyMgrUserGroupBuilder.cookieBasedUploadEntity()
21 Jan 2025 16:59:01 DEBUG o.a.r.u.p.PolicyMgrUserGroupBuilder 
[UnixUserSyncThread] - RESPONSE[Unrecognized field "xgroupInfoList" (class 
org.apache.ranger.view.VXGroupList), not marked as ignorable (8 known 
properties: "startIndex", "sortBy", "vXGroups", "sortType", "totalCount", 
"resultSize", "pageSize", "queryTimeMS"])
 at [Source: REDACTED (`StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION` 
disabled); line: 1, column: 38] (through reference chain: 
org.apache.ranger.view.VXGroupList["xgroupInfoList"])]
21 Jan 2025 16:59:01 ERROR o.a.r.u.p.PolicyMgrUserGroupBuilder 
[UnixUserSyncThread] - Failed to addOrUpdateGroups 0
java.lang.NumberFormatException: For input string: "Unrecognized field 
"xgroupInfoList" (class org.apache.ranger.view.VXGroupList), not marked as 
ignorable (8 known properties: "startIndex", "sortBy", "vXGroups", "sortType", 
"totalCount", "resultSize", "pageSize", "queryTimeMS"])
 at [Source: REDACTED (`StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION` 
disabled); line: 1, column: 38] (through reference chain: 
org.apache.ranger.view.VXGroupList["xgroupInfoList"])"
        at 
java.base/java.lang.NumberFormatException.forInputString(NumberFormatException.java:67)
        at java.base/java.lang.Integer.parseInt(Integer.java:668)
        at java.base/java.lang.Integer.valueOf(Integer.java:999)
        at 
org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.getGroups(PolicyMgrUserGroupBuilder.java:1101)
        at 
org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.addOrUpdateDeltaGroups(PolicyMgrUserGroupBuilder.java:1056)
        at 
org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.addOrUpdateGroups(PolicyMgrUserGroupBuilder.java:601)
        at 
org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.addOrUpdateUsersGroups(PolicyMgrUserGroupBuilder.java:328)
        at 
org.apache.ranger.unixusersync.process.UnixUserGroupBuilder.updateSink(UnixUserGroupBuilder.java:209)
        at 
org.apache.ranger.usergroupsync.UserGroupSync.syncUserGroup(UserGroupSync.java:101)
        at 
org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:83)
        at java.base/java.lang.Thread.run(Thread.java:840)
21 Jan 2025 16:59:01 ERROR o.a.r.u.p.UnixUserGroupBuilder [UnixUserSyncThread] 
- Failed to update ranger admin. Will retry in next sync cycle!!
java.lang.NumberFormatException: For input string: "Unrecognized field 
"xgroupInfoList" (class org.apache.ranger.view.VXGroupList), not marked as 
ignorable (8 known properties: "startIndex", "sortBy", "vXGroups", "sortType", 
"totalCount", "resultSize", "pageSize", "queryTimeMS"])
 at [Source: REDACTED (`StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION` 
disabled); line: 1, column: 38] (through reference chain: 
org.apache.ranger.view.VXGroupList["xgroupInfoList"])"
        at 
java.base/java.lang.NumberFormatException.forInputString(NumberFormatException.java:67)
        at java.base/java.lang.Integer.parseInt(Integer.java:668)
        at java.base/java.lang.Integer.valueOf(Integer.java:999)
        at 
org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.getGroups(PolicyMgrUserGroupBuilder.java:1101)
        at 
org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.addOrUpdateDeltaGroups(PolicyMgrUserGroupBuilder.java:1056)
        at 
org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.addOrUpdateGroups(PolicyMgrUserGroupBuilder.java:601)
        at 
org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.addOrUpdateUsersGroups(PolicyMgrUserGroupBuilder.java:328)
        at 
org.apache.ranger.unixusersync.process.UnixUserGroupBuilder.updateSink(UnixUserGroupBuilder.java:209)
        at 
org.apache.ranger.usergroupsync.UserGroupSync.syncUserGroup(UserGroupSync.java:101)
        at 
org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:83)
        at java.base/java.lang.Thread.run(Thread.java:840)
21 Jan 2025 16:59:01 DEBUG o.a.r.u.p.PolicyMgrUserGroupBuilder 
[UnixUserSyncThread] - ==> PolicyMgrUserGroupBuilder.addAuditInfo(0, 57, 0, 0, 
Unix)
21 Jan 2025 16:59:01 DEBUG o.a.r.u.p.PolicyMgrUserGroupBuilder 
[UnixUserSyncThread] - ==> PolicyMgrUserGroupBuilder.getUserGroupAuditInfo() 
{code}
{code:java}
 {code}
[~avazquez]  Have you validated the Ranger Usersync functionality ? I am 
observing above error.

 

> Upgrade spring framework and spring security versions
> -----------------------------------------------------
>
>                 Key: RANGER-4038
>                 URL: https://issues.apache.org/jira/browse/RANGER-4038
>             Project: Ranger
>          Issue Type: Bug
>          Components: Ranger
>            Reporter: Himanshu Maurya
>            Priority: Major
>
> Pivotal Spring Framework up to (excluding) 6.0.0 suffers from a potential 
> remote code execution (RCE) issue if used for Java deserialization of 
> untrusted data. Depending on how the library is implemented within a product, 
> this issue may or not occur, and authentication may be required.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)