You are viewing a plain text version of this content. The canonical link for it is here.

Posted to yarn-dev@hadoop.apache.org by "Tamas Domok (Jira)" <ji...@apache.org> on 2021/10/01 11:02:00 UTC

[jira] [Created] (YARN-10973) Remove Jersey version from application.wadl for Security Reasons

Tamas Domok created YARN-10973:
----------------------------------

             Summary: Remove Jersey version from application.wadl for Security Reasons
                 Key: YARN-10973
                 URL: https://issues.apache.org/jira/browse/YARN-10973
             Project: Hadoop YARN
          Issue Type: Improvement
            Reporter: Tamas Domok
            Assignee: Tamas Domok


A security audit highlighted that the auto generated *application.wadl* contains the server version - _jersey:generatedBy="Jersey: 1.19 02/11/2015 03:25 AM"_ - and we should hide this attribute.

Unfortunately it is not possible to disable this attribute from the Jersey API: [https://github.com/javaee/jersey-1.x/blob/864a01d7be490ab93d2424da3e446ad8eb84b1e8/jersey-server/src/main/java/com/sun/jersey/server/wadl/WadlBuilder.java#L245|https://github.com/javaee/jersey-1.x/blob/864a01d7be490ab93d2424da3e446ad8eb84b1e8/jersey-server/src/main/java/com/sun/jersey/server/wadl/WadlBuilder.java#L245)]

The only workaround I could come up with is to create a filter and remove the tag by hand.

 

I'm not sure if this worth the hustle, hadoop is open source and the used software component versions could be identified quite easily. Anyway I created a patch with the workaround, *but it's up to discussion if we really need this or not.*

 

*How to test?*
{code:java}
curl -v "http://localhost:8088/application.wadl" {code}

*Actual:*
{code:java}
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<application xmlns="http://wadl.dev.java.net/2009/02">
    <doc xmlns:jersey="http://jersey.java.net/" jersey:generatedBy="Jersey: 1.19 02/11/2015 03:25 AM"/> {code}

*Expected:*
{code:java}
 <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <application xmlns="http://wadl.dev.java.net/2009/02"> <doc xmlns:jersey="http://jersey.java.net/" />{code}

*Software Version Disclosure*

It has been detected that detailed platform version information is available to
the end users. Such information is very useful in narrowing down the scope of
further malicious actions since it reveals what potential security vulnerabilities might be present on the relevant asset.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-dev-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-dev-help@hadoop.apache.org