[jira] [Commented] (SPARK-24509) Spark WebUI [security] - Web Server Version Disclosure

["Marco Gaido (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/SPARK-24509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16508032#comment-16508032 ] 

Marco Gaido commented on SPARK-24509:
-------------------------------------

I see the point, but Spark is open source, so anybody knows which server it is using. Do we really need to avoid disclosing this into the headers, since anybody can easily know it anyway?

> Spark WebUI [security] - Web Server Version Disclosure
> ------------------------------------------------------
>
>                 Key: SPARK-24509
>                 URL: https://issues.apache.org/jira/browse/SPARK-24509
>             Project: Spark
>          Issue Type: Bug
>          Components: Web UI
>    Affects Versions: 2.3.0
>            Reporter: t oo
>            Priority: Major
>              Labels: security
>
> *Risk/Issue summary description/detail*
> The Spark web portals expose technical details about its infrastructure through server response headers. 
> The Server header is appended to the server responses as part of the HTTP/1.1 standard. These headers inadvertently disclose information that may aid an attacker in gathering information for a targeted attack. The following information was gathered from server response headers:
> Server: Jetty(9.3.z-SNAPSHOT)
> Server: Apache-Coyote/1.1
>  
> *Business impact / attack scenario*
> {code:java}
> An attacker may use this information to identify technologies and research publicly disclosed vulnerabilities that may affect the system.{code}
>  
> *Recommendation*
> {code:java}
> Remove the Server header from application responses.{code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org