Description
In Apache Ozone versions prior to 1.2.0, Various internal server-to-server RPC endpoints are available for connections, making it possible for an attacker to download raw data from Datanode and Ozone manager and modify Ratis replication configuration.
Remediation
References
http://www.openwall.com/lists/oss-security/2021/11/19/2
https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C110cd117-75ed-364b-cd38-3effd20f2183%40apache.org%3E
Related Vulnerabilities
CVE-2022-40764 Vulnerability in npm package snyk-go-plugin
CVE-2019-10785 Vulnerability in maven package org.webjars.bower:dojox
CVE-2019-16775 Vulnerability in maven package org.webjars.npm:bin-links
CVE-2020-13935 Vulnerability in maven package org.apache.tomcat:tomcat-websocket
CVE-2020-2296 Vulnerability in maven package org.jenkins-ci.plugins:shared-objects