Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtVelmurugan Periasamy1337DAY-ID-27924
HistoryJun 10, 2017 - 12:00 a.m.

Apache Ranger 0.5.x / 0.6.x / 0.7.0 Policy Miss / Permission Check Vulnerability

2017-06-1000:00:00
Velmurugan Periasamy
0day.today
23

0.001 Low

EPSS

Percentile

30.9%

JSON

Apache Ranger versions prior to 0.7.1 suffer from issues where policy evaluation ignores characters after the asterisk wildcard character and the Hive Authorizer fails to check for RWX permission when an external location is specified.

Hello:

Please find below details on CVEs fixed in Ranger 0.7.1 release. Release details can be found at https://cwiki.apache.org/confluence/display/RANGER/0.7.1+Release+-+Apache+Ranger 

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
CVE-2017-7676: Apache Ranger policy evaluation ignores characters after a*a wildcard character
Severity: Critical
Vendor: The Apache Software Foundation
Versions Affected: 0.5.x/0.6.x/0.7.0 versions of Apache Ranger
Users affected: Environments that use Ranger policies with characters after a*a wildcard character a like my*test, test*.txt
Description: Policy resource matcher ignores characters after a*a wildcard character, which can result in unintended behavior.
Fix detail: Ranger policy resource matcher was updated to correctly handle wildcard matches.
Mitigation: Users should upgrade to 0.7.1 or later version of Apache Ranger with the fix.
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
CVE-2017-7677: Apache Ranger Hive Authorizer should check for RWX permission when external location is specified
Severity: Critical
Vendor: The Apache Software Foundation
Versions Affected: 0.5.x/0.6.x/0.7.0 versions of Apache Ranger
Users affected: Environments that use external location for hive tables 
Description: In environments that use external location for hive tables, Apache Ranger Hive Authorizer should check for RWX permission for the external location specified for create table.
Fix detail: Ranger Hive Authorizer was updated to correctly handle permission check with external location.
Mitigation: Users should upgrade to 0.7.1 or later version of Apache Ranger with the fix.
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Thank you,
Velmurugan Periasamy

#  0day.today [2018-02-09]  #

Related

prion 2
osv 4
github 2
cvelist 2
veracode 2
cve 2
nvd 2
prion
prion
Design/Logic Flaw
2017-06-14 17:29:00
Xxe
2017-06-14 17:29:00
osv
osv
CVE-2017-7676
2017-06-14 17:29:00
CVE-2017-7677
2017-06-14 17:29:00
Moderate severity vulnerability that affects org.apache.ranger:ranger
2018-10-17 17:22:49
github
github
Policy resource matcher in Apache Ranger before 0.7.1 ignores characters after '' wildcard character
2018-10-17 17:22:38
Moderate severity vulnerability that affects org.apache.ranger:ranger
2018-10-17 17:22:49
cvelist
cvelist
CVE-2017-7676
2017-06-14 17:00:00
CVE-2017-7677
2017-06-14 17:00:00
veracode
veracode
Unintended Behaviours
2017-06-08 06:11:43
Permission Checking Bypass
2017-06-08 06:50:16
cve
cve
CVE-2017-7677
2017-06-14 17:29:00
CVE-2017-7676
2017-06-14 17:29:00
nvd
nvd
CVE-2017-7676
2017-06-14 17:29:00
CVE-2017-7677
2017-06-14 17:29:00

0.001 Low

EPSS

Percentile

30.9%

JSON
Related for 1337DAY-ID-27924
prion2osv4github2cvelist2veracode2cve2nvd2