Uploaded image for project: 'Ranger'
  1. Ranger
  2. RANGER-2244

Tomcat Security Vulnerability Alert. The version of the tomcat for ranger should upgrade to 7.0.91 or later.

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: master
    • Fix Version/s: 2.0.0
    • Component/s: admin
    • Labels:
    • Flags:
      Patch, Important

      Description

      [SECURITY] CVE-2018-11784 Apache Tomcat - Open Redirect

      CVE-2018-11784 Apache Tomcat - Open Redirect

      Severity: Moderate

      Vendor: The Apache Software Foundation

      Versions Affected:
      Apache Tomcat 9.0.0.M1 to 9.0.11
      Apache Tomcat 8.5.0 to 8.5.33
      Apache Tomcat 7.0.23 to 7.0.90
      The unsupported 8.0.x release line has not been analysed but is likely
      to be affected.

      Description:
      When the default servlet returned a redirect to a directory (e.g.
      redirecting to '/foo/' when the user requested '/foo') a specially
      crafted URL could be used to cause the redirect to be generated to any
      URI of the attackers choice.

      Mitigation:
      Users of the affected versions should apply one of the following
      mitigations:

      • Upgrade to Apache Tomcat 9.0.12 or later.
      • Upgrade to Apache Tomcat 8.5.34 or later.
      • Upgrade to Apache Tomcat 7.0.91 or later.
      • Use mapperDirectoryRedirectEnabled="true" and
        mapperContextRootRedirectEnabled="true" on the Context to ensure that
        redirects are issued by the Mapper rather than the default Servlet.
        See the Context configuration documentation for further important
        details.

      Credit:
      This vulnerability was found by Sergey Bobrov and reported responsibly
      to the Apache Tomcat Security Team.

      History:
      2018-10-03 Original advisory

      References:
      [1] http://tomcat.apache.org/security-9.html
      [2] http://tomcat.apache.org/security-8.html
      [3] http://tomcat.apache.org/security-7.html

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                zhangqiang2 Qiang Zhang
                Reporter:
                zhangqiang2 Qiang Zhang
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: