You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@spark.apache.org by "Marcelo Vanzin (JIRA)" <ji...@apache.org> on 2018/06/11 16:51:00 UTC

[jira] [Resolved] (SPARK-24511) Spark WebUI allows Weak TLS Protocols

     [ https://issues.apache.org/jira/browse/SPARK-24511?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Marcelo Vanzin resolved SPARK-24511.
------------------------------------
    Resolution: Not A Problem

The default in jdk8 is 1.2. If you configure your application with insecure settings, that's kinda your problem. By default, SSL is not even on...

> Spark WebUI allows Weak TLS Protocols
> -------------------------------------
>
>                 Key: SPARK-24511
>                 URL: https://issues.apache.org/jira/browse/SPARK-24511
>             Project: Spark
>          Issue Type: Bug
>          Components: Web UI
>    Affects Versions: 2.3.0
>            Reporter: t oo
>            Priority: Major
>              Labels: security
>         Attachments: SSL.PNG
>
>
> *Risk/Issue summary finding*
> {code:java}
> Weak TLS Protocols Supported{code}
> *Risk/Issue summary description/detail*
> {code:java}
> The Spark web portals support the use of weak TLS protocols (TLSv1.0).
> Transport Layer Security (TLS) is the ITEF standard cryptographic protocol for secure communications. It provides authentication, confidentiality and integrity between the client and the server. While the successor of SSL, TLSv1.0 has been superseded by versions 1.1 and 1.2, and is vulnerable to a variety of downgrade attacks due to its close implementation with SSLv3.
> {code}
> *Business impact / attack scenario*
> {code:java}
> Vulnerabilities in the Transport Layer Security protocols and ciphers can allow attackers to decrypt and view sensitive information transferred between the server and the client. They need to be positioned between the client and server in order to intercept messages.{code}
> *Recommendation*
> {code:java}
> Use TLSv1.2 with strong cipher suites (=> 128 bits) for all communications between the client and server.{code}
>  
> spark-defaults.conf of below applied:
> spark.ssl.enabled true
> spark.ssl.keyStore /home/ec2-user/spark_home/conf/redact.jks
> spark.ssl.trustStore /home/ec2-user/spark_home/conf/redact-trust-nonprd.jks
> spark.ssl.enabledAlgorithms ECDHE-RSA-AES256-SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
> spark.ssl.protocol TLSv1.2
> spark.ssl.trustStoreType JKS
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org