You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@ambari.apache.org by "Julia (JIRA)" <ji...@apache.org> on 2018/08/08 01:46:00 UTC

[jira] [Created] (AMBARI-24420) Attacker can Stop all services

Julia created AMBARI-24420:
------------------------------

             Summary: Attacker can Stop all services
                 Key: AMBARI-24420
                 URL: https://issues.apache.org/jira/browse/AMBARI-24420
             Project: Ambari
          Issue Type: Bug
          Components: ambari-client
    Affects Versions: 2.7.1
            Reporter: Julia


It is possible for an attacker to cause a denial of service situation for a cluster/user. By having a user simply load/visit a url, all the services on the cluster will be stopped. Not only will this interrupt service, but if the right urls are loaded in the correct order, services can be in a unrecoverable state. This is a example of configration changes are happening, and services are stopped before such changes are properly made, then the services will try to start in a bad configuration state. This is in addition to possible dataloss of any jobs happening at the time.

Requests which can cause state changes should not be "GET" requests which can be abused in such a manner.

 

Repro steps:

 

Attacker can dos/interrupt your cluster by having you visit URL unknowingly

[+{color:#0066cc}https://xxxxxxxxxxxxxxxx.azurehdinsight.net/#/main/services/highAvailability/JournalNode/manage/step4{color}+]

!https://msdata.visualstudio.com/0cd33d4d-ce7c-416d-ab00-26e15edb66e6/_apis/wit/attachments/bbc264fe-d6f3-4f74-8a63-9e5a6fdff754?fileName=attachfilehandler%20%284%29.png!

!https://msdata.visualstudio.com/0cd33d4d-ce7c-416d-ab00-26e15edb66e6/_apis/wit/attachments/50bd00ca-d219-4f07-8a22-ea58f9f3408d?fileName=attachfilehandler%20%285%29.png!



also able to force a configuration change by visiting a url before the shutdown

Force configuration change

[+{color:#0066cc}https://xxxxxxxxxxxxxxxx.azurehdinsight.net/#/main/service/reassign/step4{color}+]

!https://msdata.visualstudio.com/0cd33d4d-ce7c-416d-ab00-26e15edb66e6/_apis/wit/attachments/6b7ca029-cbf2-43dc-8eba-23992ba777dc?fileName=attachfilehandler%20%286%29.png!

 

 

 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)