Common Vulnerabilities and Exposures
CVE-2017-7676
| Summary: Apache Ranger policy evaluation ignores characters after ‘*’ wildcard character |
| Severity: Critical |
| Vendor: Hortonworks |
| Versions Affected: HDP 2.3/2.4/2.5/2.6 versions including Apache Ranger versions 0.5.x/0.6.x/0.7.0 |
| Users affected: Environments that use Ranger policies with characters after ‘*’ wildcard character – like my*test, test*.txt |
| Impact: Policy resource matcher ignores characters after ‘*’ wildcard character, which can result in unintended behavior. |
| Fix detail: Ranger policy resource matcher was updated to correctly handle wildcard matches. |
| Recommended Action: Upgrade to HDP 2.6.1+ (with Apache Ranger 0.7.1+). |
CVE-2017-7677
| Summary: Apache Ranger Hive Authorizer should check for RWX permission when external location is specified |
| Severity: Critical |
| Vendor: Hortonworks |
| Versions Affected: HDP 2.3/2.4/2.5/2.6 versions including Apache Ranger versions 0.5.x/0.6.x/0.7.0 |
| Users affected: Environments that use external location for hive tables |
| Impact: In environments that use external location for hive tables, Apache Ranger Hive Authorizer should check for RWX permission for the external location specified for create table. |
| Fix detail: Ranger Hive Authorizer was updated to correctly handle permission check with external location. |
| Recommended Action: Users should upgrade to HDP 2.6.1+ (with Apache Ranger 0.7.1+). |
CVE-2016-8746
| Summary: Apache Ranger path matching issue in policy evaluation |
| Severity: Normal |
| Vendor: Hortonworks |
| Versions Affected: All HDP 2.5 versions including Apache Ranger versions 0.6.0/0.6.1/0.6.2 |
| Users affected: All users of the ranger policy admin tool. |
| Impact: Ranger policy engine incorrectly matches paths in certain conditions when a policy contains wildcards and recursive flags. |
| Fix detail: Fixed policy evaluation logic |
| Recommended Action: Users should upgrade to HDP 2.5.4+ (with Apache Ranger 0.6.3+). |
CVE-2016-8751
| Summary: Apache Ranger stored cross site scripting issue |
| Severity: Normal |
| Vendor: Hortonworks |
| Versions Affected: All HDP 2.3/2.4/2.5 versions including Apache Ranger versions 0.5.x/0.6.0/0.6.1/0.6.2 |
| Users affected: All users of the ranger policy admin tool. |
| Impact: Apache Ranger is vulnerable to a Stored Cross-Site Scripting when entering custom policy conditions. Admin users can store some arbitrary javascript code execute when normal users login and access policies. |
| Fix detail: Added logic to sanitize the user input. |
| Recommended Action: Users should upgrade to HDP 2.5.4+ (with Apache Ranger 0.6.3+). |