[ https://issues.apache.org/jira/browse/RANGER-3785?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17553418#comment-17553418 ]
Pradeep Agrawal commented on RANGER-3785: ----------------------------------------- [~anurag2898] : Either you can upgrade to latest ranger or replace log4j jars manually in your environment to unblock yourself. We can not make changes in released branch. > CVSS-V3 >= 10 vulnerability in Apache Ranger 2.2.0 > -------------------------------------------------- > > Key: RANGER-3785 > URL: https://issues.apache.org/jira/browse/RANGER-3785 > Project: Ranger > Issue Type: Bug > Components: Ranger > Affects Versions: 2.2.0 > Reporter: Anurag > Priority: Critical > > Hi Team > > We have found two CVSS V3 >= 10 vulnerabilities in the latest Ranger Admin > release. Kindly help us patch this at the earliest, since these are critical > and may lead to unforeseen adversities. > > Details of the vulnerability: > > > |Summary|CVE|Severity|Component|CVSS V3|Source Comp Id|Details| > |Apache Log4j2 2.0-beta9 through > 2.15.0|CVE-2021-44228|Critical|org.apache.logging.log4j:log4j-core|10.0/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H|gav://org.apache.logging.log4j:log4j-core:2.13.3|Apache > Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, > and 2.3.1) JNDI features used in configuration, log messages, and parameters > do not protect against attacker controlled LDAP and other JNDI related > endpoints. An attacker who can control log messages or log message parameters > can execute arbitrary code loaded from LDAP servers when message lookup > substitution is enabled. From log4j 2.15.0, this behavior has been disabled > by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this > functionality has been completely removed. Note that this vulnerability is > specific to log4j-core and does not affect log4net, log4cxx, or other Apache > Logging Services projects.| > |FasterXML > jackson-databind|CVE-2018-14721|Critical|com.fasterxml.jackson.core:jackson-databind|10.0/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H|gav://com.fasterxml.jackson.core:jackson-databind:2.4.0|FasterXML > jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct > server-side request forgery (SSRF) attacks by leveraging failure to block the > axis2-jaxws class from polymorphic deserialization.| > > Thanks and Regards > Anurag -- This message was sent by Atlassian Jira (v8.20.7#820007)