HDP-2.4.2 Release Notes
Also available as:
PDF

Common Vulnerabilities and Exposures

The following information-security vulnerabilities and exposures (CVEs) were fixed as part of HDP 2.4.2.

  • CVE-2016-2174: Apache Ranger SQL injection vulnerability

    Severity: Moderate

    Vendor: Hortonworks

    Versions Affected: All HDP 2.3.x and 2.4.x versions including Apache Ranger versions 0.5.0, 0.5.1, and 0.5.2.

    Users Affected: All admin users of ranger policy admin tool.

    Impact: SQL Injection vulnerability in Audit > Access tab. When the user clicks an element from policyId row of the list, there is a call made underneath with eventTime parameter which contains the vulnerability. Admin users can send some arbitrary SQL code to be executed along with eventTime parameter using /service/plugins/policies/eventTime/ URL. See BUG-55856, BUG-55857 and BUG-55858

    Recommended Action: Upgrade to HDP 2.4.2+ (with Apache Ranger 0.5.2+).