You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@zeppelin.apache.org by Bicky Ealias <bi...@gmail.com> on 2018/12/05 06:55:17 UTC
Fwd: FW: CORS policy in Zeppelin
Hello users,
Has anyone succeeded in hardening Zeppelin against CORS vulnerability?
---------- Forwarded message ---------
*From: *Jeff Zhang <zj...@gmail.com>
*Date: *Tuesday, 4 December 2018 at 5:05 pm
*To: *"Ealias, Bicky" <Bi...@cba.com.au>
*Subject: *Re: CORS policy in Zeppelin
Sorry,I don't know about this, could you ask this in zeppelin user mail
list ?
Ealias, Bicky <Bi...@cba.com.au> 于2018年12月4日周二 上午10:55写道:
Hi Jeff,
Hope you are doing well.
Recently we had penetration testing done on zeppelin,and one vulnerability
that came forward is issue with Zeppelin’s HTML2 CORS policy,
We are on version 0.8.0.I added these configurations as per the
documentation:
https://zeppelin.apache.org/docs/0.8.0/setup/security/http_security_headers.html
But still that doesn’t seem to fix the issue.
https://issues.apache.org/jira/browse/ZEPPELIN-245 I see this ticket but
the comment says its fixed in 0.6.0 already.
..Are there some other settings I can change?
*CommonwealthBank*
[image: cid:image001.png@01D40715.7FFFB880]
Bicky Eailas
Analytics & Information
Level 17, 255 Pitt St, Sydney NSW 2000
M: 0406949642
E: bicky.ealias@cba.com.au
*Our vision…To excel at securing and enhancing the **financial wellbeing** of
people, businesses and communities.*
[image: cid:image003.png@01D40715.A8C27190]
************** IMPORTANT MESSAGE *****************************
This e-mail message is intended only for the addressee(s) and contains
information which may be
confidential.
If you are not the intended recipient please advise the sender by return
email, do not use or
disclose the contents, and delete the message and any attachments from your
system. Unless
specifically indicated, this email does not constitute formal advice or
commitment by the sender
or the Commonwealth Bank of Australia (ABN 48 123 123 124 AFSL and
Australian credit licence 234945)
or its subsidiaries.
We can be contacted through our web site: commbank.com.au.
If you no longer wish to receive commercial electronic messages from us,
please reply to this
e-mail by typing Unsubscribe in the subject line.
**************************************************************
--
Best Regards
Jeff Zhang
************** IMPORTANT MESSAGE *****************************
This e-mail message is intended only for the addressee(s) and contains
information which may be
confidential.
If you are not the intended recipient please advise the sender by return
email, do not use or
disclose the contents, and delete the message and any attachments from your
system. Unless
specifically indicated, this email does not constitute formal advice or
commitment by the sender
or the Commonwealth Bank of Australia (ABN 48 123 123 124 AFSL and
Australian credit licence 234945)
or its subsidiaries.
We can be contacted through our web site: commbank.com.au.
If you no longer wish to receive commercial electronic messages from us,
please reply to this
e-mail by typing Unsubscribe in the subject line.
**************************************************************
Re: FW: CORS policy in Zeppelin
Posted by Bicky Ealias <bi...@gmail.com>.
We have authentication in place and we allow no unauthenticated operations.
It has to be handled separately if Zeppelin doesn't have configurations yet.
If anyone else has any thoughts reach out.
On Thu., 13 Dec. 2018, 7:23 pm Tushar Kapila <tgkprog@gmail.com wrote:
> What I'm saying is that CORS is not a vulnerability once you have
> authentication in place. Cors works only if client respects it. Use a
> standalone program like curl or postman or a custom client or even chrome
> with security off (
> https://stackoverflow.com/questions/17679399/does-disable-web-security-work-in-chrome-anymore/36939693)
> and you can make a request to any server no matter what it's CORS response
> is. The way to harden your server is not to have any public operations
> without athentication. Cors can be ignored. It's a false vulnerability.
> This forum is not the right forum for more discussion on this. Can read up
> on what CORs is and how good auth can protect you.
>
> If you just want to harden your server a CORS java filter can do the trick
> from GitHub with your config. Placed in the root web app so it adds cors
> headers to all traffic.
>
> On Thu, 13 Dec, 2018, 13:26 Bicky Ealias <bickyealias@gmail.com wrote:
>
>> It's authenticated with LDAP. Am talking about Cross Origin Resource
>> Sharing issue.
>> For which there are configuration recommended to harden the https headers.
>>
>> https://issues.apache.org/jira/plugins/servlet/mobile#issue/ZEPPELIN-245
>>
>> I have followed the steps here
>> https://zeppelin.apache.org/docs/0.7.3/security/http_security_headers.html
>> but that does t seem to fix the vulnerability.
>>
>> On Thu., 13 Dec. 2018, 5:13 pm Tushar Kapila <tgkprog@gmail.com wrote:
>>
>>> If it is exposed and you don't want unauthorized users to read or write
>>> you need to add authentication. Apache Shirio or make zeplin port private
>>> (behind firewall) and proxy all requests thru a server that has the
>>> authentication you want.
>>>
>>>
>>>
>>> On Thu, 13 Dec, 2018, 11:12 Tushar Kapila <tgkprog@gmail.com wrote:
>>>
>>>> Is your zeplin exposed to the internet? If not don't see why this
>>>> should be an issue if it's behind the firewall?
>>>>
>>>> On Wed, 12 Dec, 2018, 03:57 Bicky Ealias <bickyealias@gmail.com wrote:
>>>>
>>>>> Checking again.. Has anyone got a chance to fix CORS issue on Zeppelin?
>>>>>
>>>>> On Wed., 5 Dec. 2018, 5:55 pm Bicky Ealias <bickyealias@gmail.com
>>>>> wrote:
>>>>>
>>>>>> Hello users,
>>>>>> Has anyone succeeded in hardening Zeppelin against CORS vulnerability?
>>>>>> ---------- Forwarded message ---------
>>>>>>
>>>>>> *From: *Jeff Zhang <zj...@gmail.com>
>>>>>> *Date: *Tuesday, 4 December 2018 at 5:05 pm
>>>>>> *To: *"Ealias, Bicky" <Bi...@cba.com.au>
>>>>>> *Subject: *Re: CORS policy in Zeppelin
>>>>>>
>>>>>>
>>>>>>
>>>>>> Sorry,I don't know about this, could you ask this in zeppelin user
>>>>>> mail list ?
>>>>>>
>>>>>>
>>>>>>
>>>>>> Ealias, Bicky <Bi...@cba.com.au> 于2018年12月4日周二 上午10:55写道:
>>>>>>
>>>>>> Hi Jeff,
>>>>>>
>>>>>> Hope you are doing well.
>>>>>>
>>>>>> Recently we had penetration testing done on zeppelin,and one
>>>>>> vulnerability that came forward is issue with Zeppelin’s HTML2 CORS policy,
>>>>>>
>>>>>> We are on version 0.8.0.I added these configurations as per the
>>>>>> documentation:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> https://zeppelin.apache.org/docs/0.8.0/setup/security/http_security_headers.html
>>>>>> But still that doesn’t seem to fix the issue.
>>>>>>
>>>>>> https://issues.apache.org/jira/browse/ZEPPELIN-245 I see this ticket
>>>>>> but the comment says its fixed in 0.6.0 already.
>>>>>>
>>>>>> ..Are there some other settings I can change?
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> *CommonwealthBank*
>>>>>>
>>>>>> [image: cid:image001.png@01D40715.7FFFB880]
>>>>>>
>>>>>> Bicky Eailas
>>>>>> Analytics & Information
>>>>>> Level 17, 255 Pitt St, Sydney NSW 2000
>>>>>> M: 0406949642
>>>>>> E: bicky.ealias@cba.com.au
>>>>>>
>>>>>> *Our vision…To excel at securing and enhancing the **financial
>>>>>> wellbeing** of people, businesses and communities.*
>>>>>>
>>>>>>
>>>>>>
>>>>>> [image: cid:image003.png@01D40715.A8C27190]
>>>>>>
>>>>>>
>>>>>>
>>>>>> ************** IMPORTANT MESSAGE *****************************
>>>>>> This e-mail message is intended only for the addressee(s) and
>>>>>> contains information which may be
>>>>>> confidential.
>>>>>> If you are not the intended recipient please advise the sender by
>>>>>> return email, do not use or
>>>>>> disclose the contents, and delete the message and any attachments
>>>>>> from your system. Unless
>>>>>> specifically indicated, this email does not constitute formal advice
>>>>>> or commitment by the sender
>>>>>> or the Commonwealth Bank of Australia (ABN 48 123 123 124 AFSL and
>>>>>> Australian credit licence 234945)
>>>>>> or its subsidiaries.
>>>>>> We can be contacted through our web site: commbank.com.au.
>>>>>> If you no longer wish to receive commercial electronic messages from
>>>>>> us, please reply to this
>>>>>> e-mail by typing Unsubscribe in the subject line.
>>>>>> **************************************************************
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>>
>>>>>> Best Regards
>>>>>>
>>>>>> Jeff Zhang
>>>>>>
>>>>>> ************** IMPORTANT MESSAGE *****************************
>>>>>> This e-mail message is intended only for the addressee(s) and
>>>>>> contains information which may be
>>>>>> confidential.
>>>>>> If you are not the intended recipient please advise the sender by
>>>>>> return email, do not use or
>>>>>> disclose the contents, and delete the message and any attachments
>>>>>> from your system. Unless
>>>>>> specifically indicated, this email does not constitute formal advice
>>>>>> or commitment by the sender
>>>>>> or the Commonwealth Bank of Australia (ABN 48 123 123 124 AFSL and
>>>>>> Australian credit licence 234945)
>>>>>> or its subsidiaries.
>>>>>> We can be contacted through our web site: commbank.com.au.
>>>>>> If you no longer wish to receive commercial electronic messages from
>>>>>> us, please reply to this
>>>>>> e-mail by typing Unsubscribe in the subject line.
>>>>>> **************************************************************
>>>>>>
>>>>>
Re: FW: CORS policy in Zeppelin
Posted by Tushar Kapila <tg...@gmail.com>.
What I'm saying is that CORS is not a vulnerability once you have
authentication in place. Cors works only if client respects it. Use a
standalone program like curl or postman or a custom client or even chrome
with security off (
https://stackoverflow.com/questions/17679399/does-disable-web-security-work-in-chrome-anymore/36939693)
and you can make a request to any server no matter what it's CORS response
is. The way to harden your server is not to have any public operations
without athentication. Cors can be ignored. It's a false vulnerability.
This forum is not the right forum for more discussion on this. Can read up
on what CORs is and how good auth can protect you.
If you just want to harden your server a CORS java filter can do the trick
from GitHub with your config. Placed in the root web app so it adds cors
headers to all traffic.
On Thu, 13 Dec, 2018, 13:26 Bicky Ealias <bickyealias@gmail.com wrote:
> It's authenticated with LDAP. Am talking about Cross Origin Resource
> Sharing issue.
> For which there are configuration recommended to harden the https headers.
>
> https://issues.apache.org/jira/plugins/servlet/mobile#issue/ZEPPELIN-245
>
> I have followed the steps here
> https://zeppelin.apache.org/docs/0.7.3/security/http_security_headers.html
> but that does t seem to fix the vulnerability.
>
> On Thu., 13 Dec. 2018, 5:13 pm Tushar Kapila <tgkprog@gmail.com wrote:
>
>> If it is exposed and you don't want unauthorized users to read or write
>> you need to add authentication. Apache Shirio or make zeplin port private
>> (behind firewall) and proxy all requests thru a server that has the
>> authentication you want.
>>
>>
>>
>> On Thu, 13 Dec, 2018, 11:12 Tushar Kapila <tgkprog@gmail.com wrote:
>>
>>> Is your zeplin exposed to the internet? If not don't see why this should
>>> be an issue if it's behind the firewall?
>>>
>>> On Wed, 12 Dec, 2018, 03:57 Bicky Ealias <bickyealias@gmail.com wrote:
>>>
>>>> Checking again.. Has anyone got a chance to fix CORS issue on Zeppelin?
>>>>
>>>> On Wed., 5 Dec. 2018, 5:55 pm Bicky Ealias <bickyealias@gmail.com
>>>> wrote:
>>>>
>>>>> Hello users,
>>>>> Has anyone succeeded in hardening Zeppelin against CORS vulnerability?
>>>>> ---------- Forwarded message ---------
>>>>>
>>>>> *From: *Jeff Zhang <zj...@gmail.com>
>>>>> *Date: *Tuesday, 4 December 2018 at 5:05 pm
>>>>> *To: *"Ealias, Bicky" <Bi...@cba.com.au>
>>>>> *Subject: *Re: CORS policy in Zeppelin
>>>>>
>>>>>
>>>>>
>>>>> Sorry,I don't know about this, could you ask this in zeppelin user
>>>>> mail list ?
>>>>>
>>>>>
>>>>>
>>>>> Ealias, Bicky <Bi...@cba.com.au> 于2018年12月4日周二 上午10:55写道:
>>>>>
>>>>> Hi Jeff,
>>>>>
>>>>> Hope you are doing well.
>>>>>
>>>>> Recently we had penetration testing done on zeppelin,and one
>>>>> vulnerability that came forward is issue with Zeppelin’s HTML2 CORS policy,
>>>>>
>>>>> We are on version 0.8.0.I added these configurations as per the
>>>>> documentation:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> https://zeppelin.apache.org/docs/0.8.0/setup/security/http_security_headers.html
>>>>> But still that doesn’t seem to fix the issue.
>>>>>
>>>>> https://issues.apache.org/jira/browse/ZEPPELIN-245 I see this ticket
>>>>> but the comment says its fixed in 0.6.0 already.
>>>>>
>>>>> ..Are there some other settings I can change?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> *CommonwealthBank*
>>>>>
>>>>> [image: cid:image001.png@01D40715.7FFFB880]
>>>>>
>>>>> Bicky Eailas
>>>>> Analytics & Information
>>>>> Level 17, 255 Pitt St, Sydney NSW 2000
>>>>> M: 0406949642
>>>>> E: bicky.ealias@cba.com.au
>>>>>
>>>>> *Our vision…To excel at securing and enhancing the **financial
>>>>> wellbeing** of people, businesses and communities.*
>>>>>
>>>>>
>>>>>
>>>>> [image: cid:image003.png@01D40715.A8C27190]
>>>>>
>>>>>
>>>>>
>>>>> ************** IMPORTANT MESSAGE *****************************
>>>>> This e-mail message is intended only for the addressee(s) and contains
>>>>> information which may be
>>>>> confidential.
>>>>> If you are not the intended recipient please advise the sender by
>>>>> return email, do not use or
>>>>> disclose the contents, and delete the message and any attachments from
>>>>> your system. Unless
>>>>> specifically indicated, this email does not constitute formal advice
>>>>> or commitment by the sender
>>>>> or the Commonwealth Bank of Australia (ABN 48 123 123 124 AFSL and
>>>>> Australian credit licence 234945)
>>>>> or its subsidiaries.
>>>>> We can be contacted through our web site: commbank.com.au.
>>>>> If you no longer wish to receive commercial electronic messages from
>>>>> us, please reply to this
>>>>> e-mail by typing Unsubscribe in the subject line.
>>>>> **************************************************************
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>> Best Regards
>>>>>
>>>>> Jeff Zhang
>>>>>
>>>>> ************** IMPORTANT MESSAGE *****************************
>>>>> This e-mail message is intended only for the addressee(s) and contains
>>>>> information which may be
>>>>> confidential.
>>>>> If you are not the intended recipient please advise the sender by
>>>>> return email, do not use or
>>>>> disclose the contents, and delete the message and any attachments from
>>>>> your system. Unless
>>>>> specifically indicated, this email does not constitute formal advice
>>>>> or commitment by the sender
>>>>> or the Commonwealth Bank of Australia (ABN 48 123 123 124 AFSL and
>>>>> Australian credit licence 234945)
>>>>> or its subsidiaries.
>>>>> We can be contacted through our web site: commbank.com.au.
>>>>> If you no longer wish to receive commercial electronic messages from
>>>>> us, please reply to this
>>>>> e-mail by typing Unsubscribe in the subject line.
>>>>> **************************************************************
>>>>>
>>>>
Re: FW: CORS policy in Zeppelin
Posted by Bicky Ealias <bi...@gmail.com>.
It's authenticated with LDAP. Am talking about Cross Origin Resource
Sharing issue.
For which there are configuration recommended to harden the https headers.
https://issues.apache.org/jira/plugins/servlet/mobile#issue/ZEPPELIN-245
I have followed the steps here
https://zeppelin.apache.org/docs/0.7.3/security/http_security_headers.html
but that does t seem to fix the vulnerability.
On Thu., 13 Dec. 2018, 5:13 pm Tushar Kapila <tgkprog@gmail.com wrote:
> If it is exposed and you don't want unauthorized users to read or write
> you need to add authentication. Apache Shirio or make zeplin port private
> (behind firewall) and proxy all requests thru a server that has the
> authentication you want.
>
>
>
> On Thu, 13 Dec, 2018, 11:12 Tushar Kapila <tgkprog@gmail.com wrote:
>
>> Is your zeplin exposed to the internet? If not don't see why this should
>> be an issue if it's behind the firewall?
>>
>> On Wed, 12 Dec, 2018, 03:57 Bicky Ealias <bickyealias@gmail.com wrote:
>>
>>> Checking again.. Has anyone got a chance to fix CORS issue on Zeppelin?
>>>
>>> On Wed., 5 Dec. 2018, 5:55 pm Bicky Ealias <bickyealias@gmail.com wrote:
>>>
>>>> Hello users,
>>>> Has anyone succeeded in hardening Zeppelin against CORS vulnerability?
>>>> ---------- Forwarded message ---------
>>>>
>>>> *From: *Jeff Zhang <zj...@gmail.com>
>>>> *Date: *Tuesday, 4 December 2018 at 5:05 pm
>>>> *To: *"Ealias, Bicky" <Bi...@cba.com.au>
>>>> *Subject: *Re: CORS policy in Zeppelin
>>>>
>>>>
>>>>
>>>> Sorry,I don't know about this, could you ask this in zeppelin user
>>>> mail list ?
>>>>
>>>>
>>>>
>>>> Ealias, Bicky <Bi...@cba.com.au> 于2018年12月4日周二 上午10:55写道:
>>>>
>>>> Hi Jeff,
>>>>
>>>> Hope you are doing well.
>>>>
>>>> Recently we had penetration testing done on zeppelin,and one
>>>> vulnerability that came forward is issue with Zeppelin’s HTML2 CORS policy,
>>>>
>>>> We are on version 0.8.0.I added these configurations as per the
>>>> documentation:
>>>>
>>>>
>>>>
>>>>
>>>> https://zeppelin.apache.org/docs/0.8.0/setup/security/http_security_headers.html
>>>> But still that doesn’t seem to fix the issue.
>>>>
>>>> https://issues.apache.org/jira/browse/ZEPPELIN-245 I see this ticket
>>>> but the comment says its fixed in 0.6.0 already.
>>>>
>>>> ..Are there some other settings I can change?
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> *CommonwealthBank*
>>>>
>>>> [image: cid:image001.png@01D40715.7FFFB880]
>>>>
>>>> Bicky Eailas
>>>> Analytics & Information
>>>> Level 17, 255 Pitt St, Sydney NSW 2000
>>>> M: 0406949642
>>>> E: bicky.ealias@cba.com.au
>>>>
>>>> *Our vision…To excel at securing and enhancing the **financial
>>>> wellbeing** of people, businesses and communities.*
>>>>
>>>>
>>>>
>>>> [image: cid:image003.png@01D40715.A8C27190]
>>>>
>>>>
>>>>
>>>> ************** IMPORTANT MESSAGE *****************************
>>>> This e-mail message is intended only for the addressee(s) and contains
>>>> information which may be
>>>> confidential.
>>>> If you are not the intended recipient please advise the sender by
>>>> return email, do not use or
>>>> disclose the contents, and delete the message and any attachments from
>>>> your system. Unless
>>>> specifically indicated, this email does not constitute formal advice or
>>>> commitment by the sender
>>>> or the Commonwealth Bank of Australia (ABN 48 123 123 124 AFSL and
>>>> Australian credit licence 234945)
>>>> or its subsidiaries.
>>>> We can be contacted through our web site: commbank.com.au.
>>>> If you no longer wish to receive commercial electronic messages from
>>>> us, please reply to this
>>>> e-mail by typing Unsubscribe in the subject line.
>>>> **************************************************************
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> Best Regards
>>>>
>>>> Jeff Zhang
>>>>
>>>> ************** IMPORTANT MESSAGE *****************************
>>>> This e-mail message is intended only for the addressee(s) and contains
>>>> information which may be
>>>> confidential.
>>>> If you are not the intended recipient please advise the sender by
>>>> return email, do not use or
>>>> disclose the contents, and delete the message and any attachments from
>>>> your system. Unless
>>>> specifically indicated, this email does not constitute formal advice or
>>>> commitment by the sender
>>>> or the Commonwealth Bank of Australia (ABN 48 123 123 124 AFSL and
>>>> Australian credit licence 234945)
>>>> or its subsidiaries.
>>>> We can be contacted through our web site: commbank.com.au.
>>>> If you no longer wish to receive commercial electronic messages from
>>>> us, please reply to this
>>>> e-mail by typing Unsubscribe in the subject line.
>>>> **************************************************************
>>>>
>>>
Re: FW: CORS policy in Zeppelin
Posted by Tushar Kapila <tg...@gmail.com>.
If it is exposed and you don't want unauthorized users to read or write you
need to add authentication. Apache Shirio or make zeplin port private
(behind firewall) and proxy all requests thru a server that has the
authentication you want.
On Thu, 13 Dec, 2018, 11:12 Tushar Kapila <tgkprog@gmail.com wrote:
> Is your zeplin exposed to the internet? If not don't see why this should
> be an issue if it's behind the firewall?
>
> On Wed, 12 Dec, 2018, 03:57 Bicky Ealias <bickyealias@gmail.com wrote:
>
>> Checking again.. Has anyone got a chance to fix CORS issue on Zeppelin?
>>
>> On Wed., 5 Dec. 2018, 5:55 pm Bicky Ealias <bickyealias@gmail.com wrote:
>>
>>> Hello users,
>>> Has anyone succeeded in hardening Zeppelin against CORS vulnerability?
>>> ---------- Forwarded message ---------
>>>
>>> *From: *Jeff Zhang <zj...@gmail.com>
>>> *Date: *Tuesday, 4 December 2018 at 5:05 pm
>>> *To: *"Ealias, Bicky" <Bi...@cba.com.au>
>>> *Subject: *Re: CORS policy in Zeppelin
>>>
>>>
>>>
>>> Sorry,I don't know about this, could you ask this in zeppelin user mail
>>> list ?
>>>
>>>
>>>
>>> Ealias, Bicky <Bi...@cba.com.au> 于2018年12月4日周二 上午10:55写道:
>>>
>>> Hi Jeff,
>>>
>>> Hope you are doing well.
>>>
>>> Recently we had penetration testing done on zeppelin,and one
>>> vulnerability that came forward is issue with Zeppelin’s HTML2 CORS policy,
>>>
>>> We are on version 0.8.0.I added these configurations as per the
>>> documentation:
>>>
>>>
>>>
>>>
>>> https://zeppelin.apache.org/docs/0.8.0/setup/security/http_security_headers.html
>>> But still that doesn’t seem to fix the issue.
>>>
>>> https://issues.apache.org/jira/browse/ZEPPELIN-245 I see this ticket
>>> but the comment says its fixed in 0.6.0 already.
>>>
>>> ..Are there some other settings I can change?
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> *CommonwealthBank*
>>>
>>> [image: cid:image001.png@01D40715.7FFFB880]
>>>
>>> Bicky Eailas
>>> Analytics & Information
>>> Level 17, 255 Pitt St, Sydney NSW 2000
>>> M: 0406949642
>>> E: bicky.ealias@cba.com.au
>>>
>>> *Our vision…To excel at securing and enhancing the **financial
>>> wellbeing** of people, businesses and communities.*
>>>
>>>
>>>
>>> [image: cid:image003.png@01D40715.A8C27190]
>>>
>>>
>>>
>>> ************** IMPORTANT MESSAGE *****************************
>>> This e-mail message is intended only for the addressee(s) and contains
>>> information which may be
>>> confidential.
>>> If you are not the intended recipient please advise the sender by return
>>> email, do not use or
>>> disclose the contents, and delete the message and any attachments from
>>> your system. Unless
>>> specifically indicated, this email does not constitute formal advice or
>>> commitment by the sender
>>> or the Commonwealth Bank of Australia (ABN 48 123 123 124 AFSL and
>>> Australian credit licence 234945)
>>> or its subsidiaries.
>>> We can be contacted through our web site: commbank.com.au.
>>> If you no longer wish to receive commercial electronic messages from us,
>>> please reply to this
>>> e-mail by typing Unsubscribe in the subject line.
>>> **************************************************************
>>>
>>>
>>>
>>>
>>> --
>>>
>>> Best Regards
>>>
>>> Jeff Zhang
>>>
>>> ************** IMPORTANT MESSAGE *****************************
>>> This e-mail message is intended only for the addressee(s) and contains
>>> information which may be
>>> confidential.
>>> If you are not the intended recipient please advise the sender by return
>>> email, do not use or
>>> disclose the contents, and delete the message and any attachments from
>>> your system. Unless
>>> specifically indicated, this email does not constitute formal advice or
>>> commitment by the sender
>>> or the Commonwealth Bank of Australia (ABN 48 123 123 124 AFSL and
>>> Australian credit licence 234945)
>>> or its subsidiaries.
>>> We can be contacted through our web site: commbank.com.au.
>>> If you no longer wish to receive commercial electronic messages from us,
>>> please reply to this
>>> e-mail by typing Unsubscribe in the subject line.
>>> **************************************************************
>>>
>>
Re: FW: CORS policy in Zeppelin
Posted by Tushar Kapila <tg...@gmail.com>.
Is your zeplin exposed to the internet? If not don't see why this should be
an issue if it's behind the firewall?
On Wed, 12 Dec, 2018, 03:57 Bicky Ealias <bickyealias@gmail.com wrote:
> Checking again.. Has anyone got a chance to fix CORS issue on Zeppelin?
>
> On Wed., 5 Dec. 2018, 5:55 pm Bicky Ealias <bickyealias@gmail.com wrote:
>
>> Hello users,
>> Has anyone succeeded in hardening Zeppelin against CORS vulnerability?
>> ---------- Forwarded message ---------
>>
>> *From: *Jeff Zhang <zj...@gmail.com>
>> *Date: *Tuesday, 4 December 2018 at 5:05 pm
>> *To: *"Ealias, Bicky" <Bi...@cba.com.au>
>> *Subject: *Re: CORS policy in Zeppelin
>>
>>
>>
>> Sorry,I don't know about this, could you ask this in zeppelin user mail
>> list ?
>>
>>
>>
>> Ealias, Bicky <Bi...@cba.com.au> 于2018年12月4日周二 上午10:55写道:
>>
>> Hi Jeff,
>>
>> Hope you are doing well.
>>
>> Recently we had penetration testing done on zeppelin,and one
>> vulnerability that came forward is issue with Zeppelin’s HTML2 CORS policy,
>>
>> We are on version 0.8.0.I added these configurations as per the
>> documentation:
>>
>>
>>
>>
>> https://zeppelin.apache.org/docs/0.8.0/setup/security/http_security_headers.html
>> But still that doesn’t seem to fix the issue.
>>
>> https://issues.apache.org/jira/browse/ZEPPELIN-245 I see this ticket but
>> the comment says its fixed in 0.6.0 already.
>>
>> ..Are there some other settings I can change?
>>
>>
>>
>>
>>
>>
>>
>> *CommonwealthBank*
>>
>> [image: cid:image001.png@01D40715.7FFFB880]
>>
>> Bicky Eailas
>> Analytics & Information
>> Level 17, 255 Pitt St, Sydney NSW 2000
>> M: 0406949642
>> E: bicky.ealias@cba.com.au
>>
>> *Our vision…To excel at securing and enhancing the **financial wellbeing** of
>> people, businesses and communities.*
>>
>>
>>
>> [image: cid:image003.png@01D40715.A8C27190]
>>
>>
>>
>> ************** IMPORTANT MESSAGE *****************************
>> This e-mail message is intended only for the addressee(s) and contains
>> information which may be
>> confidential.
>> If you are not the intended recipient please advise the sender by return
>> email, do not use or
>> disclose the contents, and delete the message and any attachments from
>> your system. Unless
>> specifically indicated, this email does not constitute formal advice or
>> commitment by the sender
>> or the Commonwealth Bank of Australia (ABN 48 123 123 124 AFSL and
>> Australian credit licence 234945)
>> or its subsidiaries.
>> We can be contacted through our web site: commbank.com.au.
>> If you no longer wish to receive commercial electronic messages from us,
>> please reply to this
>> e-mail by typing Unsubscribe in the subject line.
>> **************************************************************
>>
>>
>>
>>
>> --
>>
>> Best Regards
>>
>> Jeff Zhang
>>
>> ************** IMPORTANT MESSAGE *****************************
>> This e-mail message is intended only for the addressee(s) and contains
>> information which may be
>> confidential.
>> If you are not the intended recipient please advise the sender by return
>> email, do not use or
>> disclose the contents, and delete the message and any attachments from
>> your system. Unless
>> specifically indicated, this email does not constitute formal advice or
>> commitment by the sender
>> or the Commonwealth Bank of Australia (ABN 48 123 123 124 AFSL and
>> Australian credit licence 234945)
>> or its subsidiaries.
>> We can be contacted through our web site: commbank.com.au.
>> If you no longer wish to receive commercial electronic messages from us,
>> please reply to this
>> e-mail by typing Unsubscribe in the subject line.
>> **************************************************************
>>
>
Re: FW: CORS policy in Zeppelin
Posted by Bicky Ealias <bi...@gmail.com>.
Checking again.. Has anyone got a chance to fix CORS issue on Zeppelin?
On Wed., 5 Dec. 2018, 5:55 pm Bicky Ealias <bickyealias@gmail.com wrote:
> Hello users,
> Has anyone succeeded in hardening Zeppelin against CORS vulnerability?
> ---------- Forwarded message ---------
>
> *From: *Jeff Zhang <zj...@gmail.com>
> *Date: *Tuesday, 4 December 2018 at 5:05 pm
> *To: *"Ealias, Bicky" <Bi...@cba.com.au>
> *Subject: *Re: CORS policy in Zeppelin
>
>
>
> Sorry,I don't know about this, could you ask this in zeppelin user mail
> list ?
>
>
>
> Ealias, Bicky <Bi...@cba.com.au> 于2018年12月4日周二 上午10:55写道:
>
> Hi Jeff,
>
> Hope you are doing well.
>
> Recently we had penetration testing done on zeppelin,and one vulnerability
> that came forward is issue with Zeppelin’s HTML2 CORS policy,
>
> We are on version 0.8.0.I added these configurations as per the
> documentation:
>
>
>
>
> https://zeppelin.apache.org/docs/0.8.0/setup/security/http_security_headers.html
> But still that doesn’t seem to fix the issue.
>
> https://issues.apache.org/jira/browse/ZEPPELIN-245 I see this ticket but
> the comment says its fixed in 0.6.0 already.
>
> ..Are there some other settings I can change?
>
>
>
>
>
>
>
> *CommonwealthBank*
>
> [image: cid:image001.png@01D40715.7FFFB880]
>
> Bicky Eailas
> Analytics & Information
> Level 17, 255 Pitt St, Sydney NSW 2000
> M: 0406949642
> E: bicky.ealias@cba.com.au
>
> *Our vision…To excel at securing and enhancing the **financial wellbeing** of
> people, businesses and communities.*
>
>
>
> [image: cid:image003.png@01D40715.A8C27190]
>
>
>
> ************** IMPORTANT MESSAGE *****************************
> This e-mail message is intended only for the addressee(s) and contains
> information which may be
> confidential.
> If you are not the intended recipient please advise the sender by return
> email, do not use or
> disclose the contents, and delete the message and any attachments from
> your system. Unless
> specifically indicated, this email does not constitute formal advice or
> commitment by the sender
> or the Commonwealth Bank of Australia (ABN 48 123 123 124 AFSL and
> Australian credit licence 234945)
> or its subsidiaries.
> We can be contacted through our web site: commbank.com.au.
> If you no longer wish to receive commercial electronic messages from us,
> please reply to this
> e-mail by typing Unsubscribe in the subject line.
> **************************************************************
>
>
>
>
> --
>
> Best Regards
>
> Jeff Zhang
>
> ************** IMPORTANT MESSAGE *****************************
> This e-mail message is intended only for the addressee(s) and contains
> information which may be
> confidential.
> If you are not the intended recipient please advise the sender by return
> email, do not use or
> disclose the contents, and delete the message and any attachments from
> your system. Unless
> specifically indicated, this email does not constitute formal advice or
> commitment by the sender
> or the Commonwealth Bank of Australia (ABN 48 123 123 124 AFSL and
> Australian credit licence 234945)
> or its subsidiaries.
> We can be contacted through our web site: commbank.com.au.
> If you no longer wish to receive commercial electronic messages from us,
> please reply to this
> e-mail by typing Unsubscribe in the subject line.
> **************************************************************
>