You are viewing a plain text version of this content. The canonical link for it is here.
Posted to yarn-issues@hadoop.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2022/08/19 07:52:00 UTC
[jira] [Commented] (YARN-10973) Remove Jersey version from application.wadl for Security Reasons
[ https://issues.apache.org/jira/browse/YARN-10973?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17581710#comment-17581710 ]
ASF GitHub Bot commented on YARN-10973:
---------------------------------------
liziwl commented on PR #3510:
URL: https://github.com/apache/hadoop/pull/3510#issuecomment-1220363570
Maybe you can try add `params.put(ResourceConfig.FEATURE_DISABLE_WADL, "true");` after
https://github.com/apache/hadoop/blob/f75c58a1ca349435e318fa5ffb5929a3cb5fcb45/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/WebApp.java#L192
> Remove Jersey version from application.wadl for Security Reasons
> ----------------------------------------------------------------
>
> Key: YARN-10973
> URL: https://issues.apache.org/jira/browse/YARN-10973
> Project: Hadoop YARN
> Issue Type: Improvement
> Reporter: Tamas Domok
> Assignee: Tamas Domok
> Priority: Major
> Labels: pull-request-available
> Time Spent: 1h
> Remaining Estimate: 0h
>
> A security audit highlighted that the auto generated *application.wadl* contains the Jersey RESTful Web Services's version - _jersey:generatedBy="Jersey: 1.19 02/11/2015 03:25 AM"_ - and we should hide this attribute.
> Unfortunately it is not possible to disable this attribute from the Jersey API: [https://github.com/javaee/jersey-1.x/blob/864a01d7be490ab93d2424da3e446ad8eb84b1e8/jersey-server/src/main/java/com/sun/jersey/server/wadl/WadlBuilder.java#L245|https://github.com/javaee/jersey-1.x/blob/864a01d7be490ab93d2424da3e446ad8eb84b1e8/jersey-server/src/main/java/com/sun/jersey/server/wadl/WadlBuilder.java#L245)]
> The only workaround I could come up with is to create a filter and remove the tag by hand.
>
> I'm not sure if this worth the hustle, hadoop is open source and the used software component versions could be identified quite easily. Anyway I created a patch with the workaround, *but it's up to discussion if we really need this or not.*
>
> *How to test?*
> {code:java}
> curl -v "http://localhost:8088/application.wadl" {code}
> *Actual:*
> {code:java}
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> <application xmlns="http://wadl.dev.java.net/2009/02">
> <doc xmlns:jersey="http://jersey.java.net/" jersey:generatedBy="Jersey: 1.19 02/11/2015 03:25 AM"/> {code}
> *Expected:*
> {code:java}
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> <application xmlns="http://wadl.dev.java.net/2009/02">
> <doc xmlns:jersey="http://jersey.java.net/" />{code}
> *Software Version Disclosure*
> It has been detected that detailed platform version information is available to
> the end users. Such information is very useful in narrowing down the scope of
> further malicious actions since it reveals what potential security vulnerabilities might be present on the relevant asset.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org