You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@airflow.apache.org by "Ash Berlin-Taylor (Jira)" <ji...@apache.org> on 2019/12/10 22:14:00 UTC

[jira] [Closed] (AIRFLOW-4181) [security] ui - Server Information Disclosure

     [ https://issues.apache.org/jira/browse/AIRFLOW-4181?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ash Berlin-Taylor closed AIRFLOW-4181.
--------------------------------------
    Resolution: Won't Do

I do not see that  disclosing the version of the software is a security risk.

Let's say that a hypothetical vulnerability is disclosed in Gunicorn – what are the chances that someone is going to just blindlly try it in a scatter-gun approach, vs see "Oh it doesn't claim to be this version, I won't bother trying this vulnerability". That is not how automated probes work.

> [security] ui - Server Information Disclosure
> ---------------------------------------------
>
>                 Key: AIRFLOW-4181
>                 URL: https://issues.apache.org/jira/browse/AIRFLOW-4181
>             Project: Apache Airflow
>          Issue Type: Improvement
>          Components: security, ui
>            Reporter: t oo
>            Priority: Trivial
>
> The Airflow application reveals server information through HTTP response headers. The following information is provided: 
> Server: gunicorn/19.9.0. The application also allows access to a default monitoring page /health which provides a small amount of information about the server status. 
>  
> Business Impact/Attack Scenario 
> Information regarding the web server, version information, frameworks, development methodology or anything related to the infrastructure of an application may be collected by an attacker. Information gathered may then be used to perform targeted research, vulnerability or exploit development against known components or social engineering style attacks against application owners. Information gathered also increases the likelihood of compromise in the event publicly disclosed vulnerabilities are released. 
>  
> Recommendation 
> Remove the information from application’s HTTP headers in response. Modify gunicorn's conf.py and change the following parameter: gunicorn.SERVER_SOFTWARE = '<change_server_info_here>'.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)