You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@spark.apache.org by "t oo (JIRA)" <ji...@apache.org> on 2018/06/10 23:16:00 UTC
[jira] [Created] (SPARK-24509) Spark WebUI [security] - Web Server
Version Disclosure
t oo created SPARK-24509:
----------------------------
Summary: Spark WebUI [security] - Web Server Version Disclosure
Key: SPARK-24509
URL: https://issues.apache.org/jira/browse/SPARK-24509
Project: Spark
Issue Type: Bug
Components: Web UI
Affects Versions: 2.3.0
Reporter: t oo
*Risk/Issue summary description/detail*
The Spark web portals expose technical details about its infrastructure through server response headers.
The Server header is appended to the server responses as part of the HTTP/1.1 standard. These headers inadvertently disclose information that may aid an attacker in gathering information for a targeted attack. The following information was gathered from server response headers:
Server: Jetty(9.3.z-SNAPSHOT)
Server: Apache-Coyote/1.1
*Business impact / attack scenario*
{code:java}
An attacker may use this information to identify technologies and research publicly disclosed vulnerabilities that may affect the system.{code}
*Recommendation*
{code:java}
Remove the Server header from application responses.{code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org