Apache Ranger 0.5.x / 0.6.x / 0.7.0 Policy Miss / Permission Check

2017.06.09
Credit: Velmurugan
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2017-7676 | CVE-2017-7677
CWE: N/A

Hello: Please find below details on CVEs fixed in Ranger 0.7.1 release. Release details can be found at https://cwiki.apache.org/confluence/display/RANGER/0.7.1+Release+-+Apache+Ranger ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- CVE-2017-7676: Apache Ranger policy evaluation ignores characters after a*a wildcard character Severity: Critical Vendor: The Apache Software Foundation Versions Affected: 0.5.x/0.6.x/0.7.0 versions of Apache Ranger Users affected: Environments that use Ranger policies with characters after a*a wildcard character a like my*test, test*.txt Description: Policy resource matcher ignores characters after a*a wildcard character, which can result in unintended behavior. Fix detail: Ranger policy resource matcher was updated to correctly handle wildcard matches. Mitigation: Users should upgrade to 0.7.1 or later version of Apache Ranger with the fix. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- CVE-2017-7677: Apache Ranger Hive Authorizer should check for RWX permission when external location is specified Severity: Critical Vendor: The Apache Software Foundation Versions Affected: 0.5.x/0.6.x/0.7.0 versions of Apache Ranger Users affected: Environments that use external location for hive tables Description: In environments that use external location for hive tables, Apache Ranger Hive Authorizer should check for RWX permission for the external location specified for create table. Fix detail: Ranger Hive Authorizer was updated to correctly handle permission check with external location. Mitigation: Users should upgrade to 0.7.1 or later version of Apache Ranger with the fix. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Thank you, Velmurugan Periasamy


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top