Apache Ranger: SSRF in Edit Service page - Add logic to filter requests to localhost

Vulnerability

Overview

CVE-2024-45479 is a Server-Side Request Forgery (SSRF) vulnerability located in the Edit Service Page of the Apache Ranger UI, specifically affecting version 2.4.0 [1][2][4]. The root cause is insufficient validation of URLs or service endpoints provided by authenticated administrators, enabling the server to make unauthorized requests [4].

Exploitation and

Attack Surface

An attacker with administrative access to the Ranger UI can submit crafted service configurations that trigger the backend to send HTTP requests to arbitrary destinations [1][4]. Since the attack requires authenticated access to the Edit Service Page, the pre-requisite is possession of valid admin credentials or a session where the attacker can manipulate service definitions [4]. The SSRF can target internal network resources (e.g., localhost or private IP ranges) that are normally inaccessible from outside [4].

Impact

Successful exploitation allows the attacker to probe and interact with internal services behind the firewall, potentially gathering sensitive information from cloud metadata endpoints, internal APIs, or other systems that trust the Ranger server [1][4]. This can lead to further lateral movement within the network.

Mitigation

The vulnerability is fixed in Apache Ranger version 2.5.0 [1][2][4]. Users running 2.4.0 are advised to upgrade immediately. If an upgrade is not possible, restricting administrative access to the UI and implementing network-level controls (such as firewall rules that block outbound requests from the Ranger server to private IP ranges) can reduce risk [4].