You are viewing a plain text version of this content. The canonical link for it is here.
Posted to yarn-dev@hadoop.apache.org by "Tamas Domok (Jira)" <ji...@apache.org> on 2021/10/04 09:51:00 UTC
[jira] [Resolved] (YARN-10973) Remove Jersey version from
application.wadl for Security Reasons
[ https://issues.apache.org/jira/browse/YARN-10973?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tamas Domok resolved YARN-10973.
--------------------------------
Resolution: Won't Do
This is probably not a real vulnerability, there is no API in jersey to hide this attribute and the workaround is too ugly to be accepted in the hadoop project. Closing the issue as Won't Do.
> Remove Jersey version from application.wadl for Security Reasons
> ----------------------------------------------------------------
>
> Key: YARN-10973
> URL: https://issues.apache.org/jira/browse/YARN-10973
> Project: Hadoop YARN
> Issue Type: Improvement
> Reporter: Tamas Domok
> Assignee: Tamas Domok
> Priority: Major
> Labels: pull-request-available
> Time Spent: 40m
> Remaining Estimate: 0h
>
> A security audit highlighted that the auto generated *application.wadl* contains the Jersey RESTful Web Services's version - _jersey:generatedBy="Jersey: 1.19 02/11/2015 03:25 AM"_ - and we should hide this attribute.
> Unfortunately it is not possible to disable this attribute from the Jersey API: [https://github.com/javaee/jersey-1.x/blob/864a01d7be490ab93d2424da3e446ad8eb84b1e8/jersey-server/src/main/java/com/sun/jersey/server/wadl/WadlBuilder.java#L245|https://github.com/javaee/jersey-1.x/blob/864a01d7be490ab93d2424da3e446ad8eb84b1e8/jersey-server/src/main/java/com/sun/jersey/server/wadl/WadlBuilder.java#L245)]
> The only workaround I could come up with is to create a filter and remove the tag by hand.
>
> I'm not sure if this worth the hustle, hadoop is open source and the used software component versions could be identified quite easily. Anyway I created a patch with the workaround, *but it's up to discussion if we really need this or not.*
>
> *How to test?*
> {code:java}
> curl -v "http://localhost:8088/application.wadl" {code}
> *Actual:*
> {code:java}
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> <application xmlns="http://wadl.dev.java.net/2009/02">
> <doc xmlns:jersey="http://jersey.java.net/" jersey:generatedBy="Jersey: 1.19 02/11/2015 03:25 AM"/> {code}
> *Expected:*
> {code:java}
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> <application xmlns="http://wadl.dev.java.net/2009/02">
> <doc xmlns:jersey="http://jersey.java.net/" />{code}
> *Software Version Disclosure*
> It has been detected that detailed platform version information is available to
> the end users. Such information is very useful in narrowing down the scope of
> further malicious actions since it reveals what potential security vulnerabilities might be present on the relevant asset.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-dev-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-dev-help@hadoop.apache.org