[
https://issues.apache.org/jira/browse/SPARK-24509?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Marcelo Vanzin resolved SPARK-24509.
------------------------------------
Resolution: Won't Fix
The version of the http server Spark uses isn't really a secret.
> Spark WebUI [security] - Web Server Version Disclosure
> ------------------------------------------------------
>
> Key: SPARK-24509
> URL: https://issues.apache.org/jira/browse/SPARK-24509
> Project: Spark
> Issue Type: Bug
> Components: Web UI
> Affects Versions: 2.3.0
> Reporter: t oo
> Priority: Major
> Labels: security
>
> *Risk/Issue summary description/detail*
> The Spark web portals expose technical details about its infrastructure
> through server response headers.
> The Server header is appended to the server responses as part of the HTTP/1.1
> standard. These headers inadvertently disclose information that may aid an
> attacker in gathering information for a targeted attack. The following
> information was gathered from server response headers:
> Server: Jetty(9.3.z-SNAPSHOT)
> Server: Apache-Coyote/1.1
>
> *Business impact / attack scenario*
> {code:java}
> An attacker may use this information to identify technologies and research
> publicly disclosed vulnerabilities that may affect the system.{code}
>
> *Recommendation*
> {code:java}
> Remove the Server header from application responses.{code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
