Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 1 Jun 2016 10:41:46 -0400
From: Velmurugan Periasamy <vel@...che.org>
To: security@...che.org,
 oss-security@...ts.openwall.com,
 bugtraq@...urityfocus.com
Cc: dev@...ger.incubator.apache.org,
 user@...ger.incubator.apache.org,
 private@...ger.incubator.apache.org,
 vel@...che.org
Subject: CVE update (CVE-2016-2174) - Fixed in Ranger 0.5.3

Hello:

Here’s a CVE update for Ranger 0.5.3 release. Please see below details. 

Release details can be found at https://cwiki.apache.org/confluence/display/RANGER/0.5.3+Release+-+Apache+Ranger

Thank you,
Velmurugan Periasamy

-----------------------------------------------------------------------------------------------
CVE-2016-2174: Apache Ranger sql injection vulnerability
-----------------------------------------------------------------------------------------------
Severity: Normal
Vendor: The Apache Software Foundation
Versions Affected: All versions of Apache Ranger from 0.5.0 (up to 0.5.3)
Users Affected: All admin users of ranger policy admin tool
Description: SQL Injection vulnerability in Audit > Access tab. When the user 
clicks an element from policyId row of the list, there is a call made underneath 
with eventTime parameter which contains the vulnerability. Admin users can 
send some arbitrary sql code to be executed along with eventTime parameter
 using /service/plugins/policies/eventTime url.
Fix details: Replaced native queries with JPA named queries
Mitigation: Users should upgrade to 0.5.3 version of Apache Ranger with the fix.
Credit: Thanks to Mateusz Olejarka from SecuRing for reporting this issue.
-----------------------------------------------------------------------------------------------

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ