From ab5ac7f890f88d6a07b18e78a44f88b52ddb8b9c Mon Sep 17 00:00:00 2001
From: bolkedebruin <bolkedebruin@users.noreply.github.com>
Date: Thu, 9 Apr 2020 19:43:11 +0200
Subject: [PATCH] Document possible vulnerabilities for the
 druid-ranger-security (#9649)

* Document possible vulnerabilities for the druid-ranger-security

In certain configurations the ranger plugin can expose vulnerabilities due
to some of its dependencies having CVEs.

* Spelling checker is a bit tight
---
 .../extensions-core/druid-ranger-security.md  | 10 ++++++
 owasp-dependency-check-suppressions.xml       | 32 +++++++++++++++++++
 website/.spelling                             |  5 ++-
 3 files changed, 46 insertions(+), 1 deletion(-)

diff --git a/docs/development/extensions-core/druid-ranger-security.md b/docs/development/extensions-core/druid-ranger-security.md
index 374458f0794..8558d987faa 100644
--- a/docs/development/extensions-core/druid-ranger-security.md
+++ b/docs/development/extensions-core/druid-ranger-security.md
@@ -30,6 +30,16 @@ Make sure to [include](../../development/extensions.md#loading-extensions) `drui
 
 Please see [Authentication and Authorization](../../design/auth.md) for more information on the extension interfaces being implemented.
 
+---
+**NOTE**
+
+The latest release of Apache Ranger is at the time of writing version 2.0. This version has a dependency
+on `log4j 1.2.17` which has a vulnerability if you configure it to use a `SocketServer` (CVE-2019-17571). Next to that,
+it also includes Kafka 2.0.0 which has 2 known vulnerabilities (CVE-2019-12399, CVE-2018-17196). Kafka can be used
+by the audit component in Ranger, but is not required. 
+
+---
+
 ## Configuration
 
 Support for Apache Ranger authorization consists of three elements: configuration of the extension 
diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml
index a6433a1f176..f44e0005ad6 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -187,4 +187,36 @@
      <packageUrl regex="true">^pkg:npm/node\-sass@.*$</packageUrl>
      <vulnerabilityName>CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')</vulnerabilityName>
   </suppress>
+  <suppress>
+    <!--
+      ~ TODO: Fix when Apache Ranger 2.1 is released
+      -->
+    <notes><![CDATA[
+    file name: kafka_2.11-2.0.0.jar
+    ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.apache\.kafka/kafka_2.11@2.0.0$</packageUrl>
+    <cve>CVE-2019-12399</cve>
+    <cve>CVE-2018-17196</cve>
+  </suppress>
+  <suppress>
+    <!--
+      ~ TODO: Fix when Apache Ranger 2.1 is released
+      -->
+    <notes><![CDATA[
+    file name: kafka-clients-2.0.0.jar
+    ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.apache\.kafka/kafka-clients@2.0.0$</packageUrl>
+    <cve>CVE-2019-12399</cve>
+    <cve>CVE-2018-17196</cve>
+  </suppress>
+  <suppress>
+    <!--
+      ~ TODO: Fix when Apache Ranger is released with updated log4j
+      -->
+    <notes><![CDATA[
+    file name: log4j-1.2.17.jar
+    ]]></notes>
+    <packageUrl regex="true">^pkg:maven/log4j/log4j@1.2.17$</packageUrl>
+    <cve>CVE-2019-17571</cve>
+  </suppress>
 </suppressions>
diff --git a/website/.spelling b/website/.spelling
index b3f1deae329..f7bee5936b7 100644
--- a/website/.spelling
+++ b/website/.spelling
@@ -1726,4 +1726,7 @@ regionName
  - ../docs/development/extensions-core/druid-ranger-security.md
 json
 metastore
-UserGroupInformation
\ No newline at end of file
+UserGroupInformation
+CVE-2019-17571
+CVE-2019-12399
+CVE-2018-17196