[jira] [Commented] (RANGER-3785) CVSS-V3 >= 10 vulnerability in Apache Ranger 2.2.0

Mon, 13 Jun 2022 00:30:06 -0700 


    [ 
https://issues.apache.org/jira/browse/RANGER-3785?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17553418#comment-17553418
 ] 

Pradeep Agrawal commented on RANGER-3785:
-----------------------------------------

[~anurag2898] : Either you can upgrade to latest ranger or replace log4j jars 
manually in your environment to unblock yourself.

We can not make changes in released branch. 

> CVSS-V3 >= 10 vulnerability in Apache Ranger 2.2.0
> --------------------------------------------------
>
>                 Key: RANGER-3785
>                 URL: https://issues.apache.org/jira/browse/RANGER-3785
>             Project: Ranger
>          Issue Type: Bug
>          Components: Ranger
>    Affects Versions: 2.2.0
>            Reporter: Anurag
>            Priority: Critical
>
> Hi Team
>  
>  We have found two CVSS V3 >= 10 vulnerabilities in the latest Ranger Admin 
> release. Kindly help us patch this at the earliest, since these are critical 
> and may lead to unforeseen adversities. 
>  
>  Details of the vulnerability:
>  
>  
> |Summary|CVE|Severity|Component|CVSS V3|Source Comp Id|Details|
> |Apache Log4j2 2.0-beta9 through 
> 2.15.0|CVE-2021-44228|Critical|org.apache.logging.log4j:log4j-core|10.0/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H|gav://org.apache.logging.log4j:log4j-core:2.13.3|Apache
>  Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, 
> and 2.3.1) JNDI features used in configuration, log messages, and parameters 
> do not protect against attacker controlled LDAP and other JNDI related 
> endpoints. An attacker who can control log messages or log message parameters 
> can execute arbitrary code loaded from LDAP servers when message lookup 
> substitution is enabled. From log4j 2.15.0, this behavior has been disabled 
> by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this 
> functionality has been completely removed. Note that this vulnerability is 
> specific to log4j-core and does not affect log4net, log4cxx, or other Apache 
> Logging Services projects.|
> |FasterXML 
> jackson-databind|CVE-2018-14721|Critical|com.fasterxml.jackson.core:jackson-databind|10.0/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H|gav://com.fasterxml.jackson.core:jackson-databind:2.4.0|FasterXML
>  jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct 
> server-side request forgery (SSRF) attacks by leveraging failure to block the 
> axis2-jaxws class from polymorphic deserialization.|
>  
> Thanks and Regards
> Anurag



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

Reply via email to