You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@spark.apache.org by "Marcelo Vanzin (JIRA)" <ji...@apache.org> on 2018/06/11 16:41:00 UTC
[jira] [Reopened] (SPARK-24508) Spark WebUIs [Security] -
Inadequate Cache Directive Headers
[ https://issues.apache.org/jira/browse/SPARK-24508?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Marcelo Vanzin reopened SPARK-24508:
------------------------------------
> Spark WebUIs [Security] - Inadequate Cache Directive Headers
> ------------------------------------------------------------
>
> Key: SPARK-24508
> URL: https://issues.apache.org/jira/browse/SPARK-24508
> Project: Spark
> Issue Type: Bug
> Components: Web UI
> Affects Versions: 2.3.0
> Reporter: t oo
> Priority: Major
> Labels: security
>
> Several web portals do not use sufficient cache related headers.
> Cache related headers instructs browsers and intermediary proxies to not cache any data received or sent. The following cache related headers were missing or not properly set:
> * Cache-Control: not set to no-cache no-store
> * Pragma header missing
> * Expires header not backdated or -1
> The following applications/requests are affected (note that this is a non-exhaustive list, recommendations should be applied to all applications):
> [https://host:8480/api/v1/applications/app-20180522035225-0000/allexecutors]
> [https://host:18480/api/v1/applications?limit=1500&status=completed]
> *
> Business impact / attack scenario*
> By allowing proxies or browsers to cache sensitive information, it is possible for an attacker with access to the machine to retrieve information about Spark infrastructure.
> *
> Recommendation*
> Set the following cache related headers for all sensitive information:
> Cache-Control: no-cache no-store
> Pragma: no-cache
> Expires: -1
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org