[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVE update - fixed in Apache Ranger 0.7.1

To: security <security@xxxxxxxxxx>, oss-security@xxxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
Subject: CVE update - fixed in Apache Ranger 0.7.1
From: Velmurugan Periasamy <vel@xxxxxxxxxx>
Date: Wed, 7 Jun 2017 16:31:01 -0400

Hello:

Please find below details on CVEs fixed in Ranger 0.7.1 release. Release 
details can be found at 
https://cwiki.apache.org/confluence/display/RANGER/0.7.1+Release+-+Apache+Ranger
 

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
CVE-2017-7676: Apache Ranger policy evaluation ignores characters after ‘*’ 
wildcard character
Severity: Critical
Vendor: The Apache Software Foundation
Versions Affected: 0.5.x/0.6.x/0.7.0 versions of Apache Ranger
Users affected: Environments that use Ranger policies with characters after ‘*’ 
wildcard character – like my*test, test*.txt
Description: Policy resource matcher ignores characters after ‘*’ wildcard 
character, which can result in unintended behavior.
Fix detail: Ranger policy resource matcher was updated to correctly handle 
wildcard matches.
Mitigation: Users should upgrade to 0.7.1 or later version of Apache Ranger 
with the fix.
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
CVE-2017-7677: Apache Ranger Hive Authorizer should check for RWX permission 
when external location is specified
Severity: Critical
Vendor: The Apache Software Foundation
Versions Affected: 0.5.x/0.6.x/0.7.0 versions of Apache Ranger
Users affected: Environments that use external location for hive tables 
Description: In environments that use external location for hive tables, Apache 
Ranger Hive Authorizer should check for RWX permission for the external 
location specified for create table.
Fix detail: Ranger Hive Authorizer was updated to correctly handle permission 
check with external location.
Mitigation: Users should upgrade to 0.7.1 or later version of Apache Ranger 
with the fix.
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Thank you,
Velmurugan Periasamy

Prev by Date: [security bulletin] HPESBHF03757 rev.1 - HPE Network Products including Comware 5 and Comware 7 running NTP, Remote Denial of Service (DoS)
Next by Date: [security bulletin] HPESBGN03758 rev.1 - HPE UCMDB, Remote Code Execution
Previous by thread: [security bulletin] HPESBHF03757 rev.1 - HPE Network Products including Comware 5 and Comware 7 running NTP, Remote Denial of Service (DoS)
Next by thread: [security bulletin] HPESBGN03758 rev.1 - HPE UCMDB, Remote Code Execution
Index(es):
- Date
- Thread