CVE-2016-2174: Apache Ranger SQL injection vulnerability

Severity: Moderate

Vendor: Hortonworks

Versions Affected: All HDP 2.3.x and 2.4.x versions including Apache Ranger versions 0.5.0, 0.5.1, and 0.5.2.

Users Affected: All admin users of ranger policy admin tool.

Impact: SQL Injection vulnerability in Audit > Access tab. When the user clicks an element from policyId row of the list, there is a call made underneath with eventTime parameter which contains the vulnerability. Admin users can send some arbitrary SQL code to be executed along with eventTime parameter using /service/plugins/policies/eventTime/ URL. See BUG-55856, BUG-55857 and BUG-55858

Recommended Action: Upgrade to HDP 2.4.2+ (with Apache Ranger 0.5.2+).