[ANNOUNCE] Apache Qpid Dispatch 1.18.0 released

The Apache Qpid (https://qpid.apache.org) community is pleased to announce the immediate availability of Apache Qpid Dispatch 1.18.0. Qpid Dispatch is a router for the Advanced Message Queuing Protocol 1.0 (AMQP 1.0, ISO/IEC 19464, https://www.amqp.org). It provides a flexible and scalable

The Apache News Round-up: week ending 19 November 2021

Happy Friday, everyone. The Apache community has had another great week. Let's review what we've been up to: ASF Board – management and oversight of the business affairs of the corporation in accordance with the Foundation's bylaws. - Next Board Meeting: 15 December 2021. Board calendar and

ANNOUNCE] Apache Jackrabbit Oak 1.6.22 released

The Apache Jackrabbit community is pleased to announce the release of Apache Jackrabbit Oak 1.6.22. The release is available for download at: http://jackrabbit.apache.org/downloads.html See the full release notes below for details about this release: Release Notes -- Apache Jackrabbit

CVE-2021-39235: Apache Ozone: Access mode of block tokens are not enforced

Description: Ozone Datanode doesn't check the access mode parameter of the block token. Authenticated users with valid READ block token can do any write operation on the same block. This issue is being tracked as HDDS-4558,HDDS-4644 Mitigation: Upgrade to Apache Ozone release version 1.2.0

CVE-2021-41532: Apache Ozone: Unauthenticated access to Ozone Recon HTTP endpoints

Severity: moderate Description: Recon HTTP endpoints provide access to OM, SCM and Datanode metadata. Due to a bug, any unauthenticated user can access the data from these endpoints. This issue is being tracked as HDDS-5691 Mitigation: Upgrade to Apache Ozone release version 1.2.0 Credit:

CVE-2021-39236: Apache Ozone: Owners of the S3 tokens are not validated

Description: Authenticated users with valid Ozone S3 credentials can create specific OM requests, impersonating any other user. This issue is being tracked as HDDS-4763 Mitigation: Upgrade to Apache Ozone release version 1.2.0 Credit: Apache Ozone would like to thank Marton Elek for

CVE-2021-39234: Apache Ozone: Raw block data can be read bypassing ACL/authorization

Description: Authenticated users knowing the ID of an existing block can craft specific request allowing access those blocks, bypassing other security checks like ACL. This issue is being tracked as HDDS-5061 Mitigation: Upgrade to Apache Ozone release version 1.2.0 Credit: Apache Ozone

CVE-2021-39233: Apache Ozone: Container-related datanode operations can be called without authorization

Description: Container related Datanode requests of Ozone Datanode were not properly authorized and can be called by any client. This issue is being tracked as HDDS-4729,HDDS-5236 Mitigation: Upgrade to Apache Ozone release version 1.2.0 Credit: Apache Ozone would like to thank Marton Elek

CVE-2021-39232: Apache Ozone: Missing admin check for SCM related admin commands

Description: Certain admin related SCM commands can be executed by any authenticated users, not just by admins. This issue is being tracked as HDDS-4530 Mitigation: Upgrade to Apache Ozone release version 1.2.0 Credit: Apache Ozone would like to thank Wei-Chiu Chuang for reporting this

CVE-2021-39231: Apache Ozone: Missing authentication/authorization on internal RPC endpoints

Description: Various internal server-to-server RPC endpoints are available for connections, making it possible for an attacker to download raw data from Datanode and Ozone manager and modify Ratis replication configuration. This issue is being tracked as

CVE-2021-36372: Apache Ozone: Original block tokens are persisted and can be retrieved

Description: Initially generated block tokens are persisted to the metadata database and can be retrieved with authenticated users with permission to the key. Authenticated users may use them even after access is revoked. This issue is being tracked as HDDS-5315 Mitigation: Upgrade to