[jira] [Resolved] (SPARK-24508) Spark WebUIs [Security] - Inadequate Cache Directive Headers

Mon, 11 Jun 2018 09:41:14 -0700 


     [ 
https://issues.apache.org/jira/browse/SPARK-24508?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Marcelo Vanzin resolved SPARK-24508.
------------------------------------
    Resolution: Fixed

The "impact" doesn't really explain anything that would make the cached data a 
serious security risk. Having access to the machine is way more worrying (since 
it means getting access to the credentials that were used to get that data in 
the first place).

> Spark WebUIs [Security] - Inadequate Cache Directive Headers
> ------------------------------------------------------------
>
>                 Key: SPARK-24508
>                 URL: https://issues.apache.org/jira/browse/SPARK-24508
>             Project: Spark
>          Issue Type: Bug
>          Components: Web UI
>    Affects Versions: 2.3.0
>            Reporter: t oo
>            Priority: Major
>              Labels: security
>
> Several web portals do not use sufficient cache related headers.
> Cache related headers instructs browsers and intermediary proxies to not 
> cache any data received or sent. The following cache related headers were 
> missing or not properly set:
>  * Cache-Control: not set to no-cache no-store
>  * Pragma header missing
>  * Expires header not backdated or -1
> The following applications/requests are affected (note that this is a 
> non-exhaustive list, recommendations should be applied to all applications):
>  [https://host:8480/api/v1/applications/app-20180522035225-0000/allexecutors]
>  [https://host:18480/api/v1/applications?limit=1500&status=completed]
>  *
>  Business impact / attack scenario*
>  By allowing proxies or browsers to cache sensitive information, it is 
> possible for an attacker with access to the machine to retrieve information 
> about Spark infrastructure. 
>  *
>  Recommendation*
>  Set the following cache related headers for all sensitive information:
> Cache-Control: no-cache no-store
>  Pragma: no-cache
>  Expires: -1



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org

Reply via email to