oss-sec mailing list archives
CVE update (CVE-2016-2174) - Fixed in Ranger 0.5.3
From: Velmurugan Periasamy <vel () apache org>
Date: Wed, 1 Jun 2016 10:41:46 -0400
Hello: Here’s a CVE update for Ranger 0.5.3 release. Please see below details. Release details can be found at https://cwiki.apache.org/confluence/display/RANGER/0.5.3+Release+-+Apache+Ranger Thank you, Velmurugan Periasamy ----------------------------------------------------------------------------------------------- CVE-2016-2174: Apache Ranger sql injection vulnerability ----------------------------------------------------------------------------------------------- Severity: Normal Vendor: The Apache Software Foundation Versions Affected: All versions of Apache Ranger from 0.5.0 (up to 0.5.3) Users Affected: All admin users of ranger policy admin tool Description: SQL Injection vulnerability in Audit > Access tab. When the user clicks an element from policyId row of the list, there is a call made underneath with eventTime parameter which contains the vulnerability. Admin users can send some arbitrary sql code to be executed along with eventTime parameter using /service/plugins/policies/eventTime url. Fix details: Replaced native queries with JPA named queries Mitigation: Users should upgrade to 0.5.3 version of Apache Ranger with the fix. Credit: Thanks to Mateusz Olejarka from SecuRing for reporting this issue. -----------------------------------------------------------------------------------------------
Current thread:
- CVE update (CVE-2016-2174) - Fixed in Ranger 0.5.3 Velmurugan Periasamy (Jun 01)