Apache
/
druid
mirror of https://github.com/apache/druid.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Document possible vulnerabilities for the druid-ranger-security (#9649) 

* Document possible vulnerabilities for the druid-ranger-security

In certain configurations the ranger plugin can expose vulnerabilities due
to some of its dependencies having CVEs.

* Spelling checker is a bit tight
This commit is contained in:
bolkedebruin 2020-04-09 19:43:11 +02:00 committed by GitHub
parent a6790ff22a
commit ab5ac7f890
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 46 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
docs/development/extensions-core/druid-ranger-security.md
View File

@ -30,6 +30,16 @@ Make sure to [include](../../development/extensions.md#loading-extensions) `drui
Please see [Authentication and Authorization](../../design/auth.md) for more information on the extension interfaces being implemented.
---
**NOTE**
The latest release of Apache Ranger is at the time of writing version 2.0. This version has a dependency
on `log4j 1.2.17` which has a vulnerability if you configure it to use a `SocketServer` (CVE-2019-17571). Next to that,
it also includes Kafka 2.0.0 which has 2 known vulnerabilities (CVE-2019-12399, CVE-2018-17196). Kafka can be used
by the audit component in Ranger, but is not required.
---
## Configuration
Support for Apache Ranger authorization consists of three elements: configuration of the extension

32
owasp-dependency-check-suppressions.xml
View File

@ -187,4 +187,36 @@
<packageUrl regex="true">^pkg:npm/node\-sass@.*$</packageUrl>
<vulnerabilityName>CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')</vulnerabilityName>
</suppress>
<suppress>
<!--
~ TODO: Fix when Apache Ranger 2.1 is released
-->
<notes><![CDATA[
file name: kafka_2.11-2.0.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.kafka/kafka_2.11@2.0.0$</packageUrl>
<cve>CVE-2019-12399</cve>
<cve>CVE-2018-17196</cve>
</suppress>
<suppress>
<!--
~ TODO: Fix when Apache Ranger 2.1 is released
-->
<notes><![CDATA[
file name: kafka-clients-2.0.0.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.kafka/kafka-clients@2.0.0$</packageUrl>
<cve>CVE-2019-12399</cve>
<cve>CVE-2018-17196</cve>
</suppress>
<suppress>
<!--
~ TODO: Fix when Apache Ranger is released with updated log4j
-->
<notes><![CDATA[
file name: log4j-1.2.17.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/log4j/log4j@1.2.17$</packageUrl>
<cve>CVE-2019-17571</cve>
</suppress>
</suppressions>

5
website/.spelling
View File

@ -1726,4 +1726,7 @@ regionName
- ../docs/development/extensions-core/druid-ranger-security.md
json
metastore
UserGroupInformation
UserGroupInformation
CVE-2019-17571
CVE-2019-12399
CVE-2018-17196