You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@spark.apache.org by "t oo (JIRA)" <ji...@apache.org> on 2018/06/10 23:16:00 UTC

[jira] [Created] (SPARK-24509) Spark WebUI [security] - Web Server Version Disclosure

t oo created SPARK-24509:
----------------------------

             Summary: Spark WebUI [security] - Web Server Version Disclosure
                 Key: SPARK-24509
                 URL: https://issues.apache.org/jira/browse/SPARK-24509
             Project: Spark
          Issue Type: Bug
          Components: Web UI
    Affects Versions: 2.3.0
            Reporter: t oo


*Risk/Issue summary description/detail*
The Spark web portals expose technical details about its infrastructure through server response headers. 

The Server header is appended to the server responses as part of the HTTP/1.1 standard. These headers inadvertently disclose information that may aid an attacker in gathering information for a targeted attack. The following information was gathered from server response headers:

Server: Jetty(9.3.z-SNAPSHOT)
Server: Apache-Coyote/1.1
 

*Business impact / attack scenario*
{code:java}
An attacker may use this information to identify technologies and research publicly disclosed vulnerabilities that may affect the system.{code}
 

*Recommendation*
{code:java}
Remove the Server header from application responses.{code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org