Description
In Apache Ozone versions prior to 1.2.0, Various internal server-to-server RPC endpoints are available for connections, making it possible for an attacker to download raw data from Datanode and Ozone manager and modify Ratis replication configuration.
Remediation
References
http://www.openwall.com/lists/oss-security/2021/11/19/2
https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C110cd117-75ed-364b-cd38-3effd20f2183%40apache.org%3E
Related Vulnerabilities
CVE-2022-1274 Vulnerability in maven package org.keycloak:keycloak-themes
CVE-2021-45456 Vulnerability in maven package org.apache.kylin:kylin-server-base
CVE-2019-0200 Vulnerability in maven package org.apache.qpid:qpid-broker-plugins-amqp-0-8-protocol
CVE-2021-25640 Vulnerability in maven package org.apache.dubbo:dubbo
CVE-2021-23416 Vulnerability in npm package curly-bracket-parser