[jira] [Created] (YARN-11331) YARN UIs embed problematic javascript

["Andrew Kyle Purtell (Jira)" <ji...@apache.org>]

Andrew Kyle Purtell created YARN-11331:
------------------------------------------

             Summary: YARN UIs embed problematic javascript
                 Key: YARN-11331
                 URL: https://issues.apache.org/jira/browse/YARN-11331
             Project: Hadoop YARN
          Issue Type: Bug
    Affects Versions: 3.3.4
            Reporter: Andrew Kyle Purtell


YARN component UIs, especially the Application Catalog, embed several problematic Javascript components. 

First and foremost is the Angular framework, for which all development has ceased and several vulnerabilities are known and listed in the CVE database. To fix this requires a migration away from Angular to some other framework. 

Another component like this is x-editable, an editor widget for Bootstrap. There is a cross-site scripting problem for which no fixed version exists. Requires use of an alternative component or addition of a mitigating control.

All Boostrap versions 3.x have an issue covered by CVE-2018-14041, a cross site scripting problem, fixed in Bootstrap versions 4.1.3 and later. This requires a migration where Bootstrap 3.x is in use to Bootstrap 4.1.3+. 

At my workplace we have chosen to delete the Application Catalog, which I recommend as the most likely path to satisfaction for you as well, because the Angular problem lacks a path forward other than reimplementation.

x-editable and Bootstrap issues persist in other places. 

Rather than collect these findings piecemeal, it is suggested this issue can be used as an umbrella. 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org