Description
In Apache Ozone versions prior to 1.2.0, Various internal server-to-server RPC endpoints are available for connections, making it possible for an attacker to download raw data from Datanode and Ozone manager and modify Ratis replication configuration.
Remediation
References
http://www.openwall.com/lists/oss-security/2021/11/19/2
https://mail-archives.apache.org/mod_mbox/ozone-dev/202111.mbox/%3C110cd117-75ed-364b-cd38-3effd20f2183%40apache.org%3E
Related Vulnerabilities
CVE-2022-36364 Vulnerability in maven package org.apache.calcite.avatica:avatica-core
CVE-2020-8124 Vulnerability in maven package org.webjars.bowergithub.unshiftio:url-parse
CVE-2020-9480 Vulnerability in maven package org.apache.spark:spark-network-shuffle_2.10
CVE-2019-3894 Vulnerability in maven package org.wildfly:wildfly-ee
CVE-2022-45690 Vulnerability in maven package cn.hutool:hutool-json