Please find below details on CVEs fixed in Ranger 0.7.1 release. Release details can be found at https://cwiki.apache.org/
------------------------------
CVE-2017-7676: Apache Ranger policy evaluation ignores characters after ‘*’ wildcard character
Severity: Critical
Vendor: The Apache Software Foundation
Versions Affected: 0.5.x/0.6.x/0.7.0 versions of Apache Ranger
Users affected: Environments that use Ranger policies with characters after ‘*’ wildcard character – like my*test, test*.txt
Description: Policy resource matcher ignores characters after ‘*’ wildcard character, which can result in unintended behavior.
Fix detail: Ranger policy resource matcher was updated to correctly handle wildcard matches.
Mitigation: Users should upgrade to 0.7.1 or later version of Apache Ranger with the fix.
------------------------------
CVE-2017-7677: Apache Ranger Hive Authorizer should check for RWX permission when external location is specified
Severity: Critical
Vendor: The Apache Software Foundation
Versions Affected: 0.5.x/0.6.x/0.7.0 versions of Apache Ranger
Users affected: Environments that use external location for hive tables
Description: In environments that use external location for hive tables, Apache Ranger Hive Authorizer should check for RWX permission for the external location specified for create table.
Fix detail: Ranger Hive Authorizer was updated to correctly handle permission check with external location.
Mitigation: Users should upgrade to 0.7.1 or later version of Apache Ranger with the fix.
------------------------------
Thank you,
Velmurugan Periasamy
Komentarų nėra:
Rašyti komentarą