[jira] [Resolved] (SPARK-24511) Spark WebUI allows Weak TLS Protocols

Mon, 11 Jun 2018 09:51:21 -0700 


     [ 
https://issues.apache.org/jira/browse/SPARK-24511?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Marcelo Vanzin resolved SPARK-24511.
------------------------------------
    Resolution: Not A Problem

The default in jdk8 is 1.2. If you configure your application with insecure 
settings, that's kinda your problem. By default, SSL is not even on...

> Spark WebUI allows Weak TLS Protocols
> -------------------------------------
>
>                 Key: SPARK-24511
>                 URL: https://issues.apache.org/jira/browse/SPARK-24511
>             Project: Spark
>          Issue Type: Bug
>          Components: Web UI
>    Affects Versions: 2.3.0
>            Reporter: t oo
>            Priority: Major
>              Labels: security
>         Attachments: SSL.PNG
>
>
> *Risk/Issue summary finding*
> {code:java}
> Weak TLS Protocols Supported{code}
> *Risk/Issue summary description/detail*
> {code:java}
> The Spark web portals support the use of weak TLS protocols (TLSv1.0).
> Transport Layer Security (TLS) is the ITEF standard cryptographic protocol 
> for secure communications. It provides authentication, confidentiality and 
> integrity between the client and the server. While the successor of SSL, 
> TLSv1.0 has been superseded by versions 1.1 and 1.2, and is vulnerable to a 
> variety of downgrade attacks due to its close implementation with SSLv3.
> {code}
> *Business impact / attack scenario*
> {code:java}
> Vulnerabilities in the Transport Layer Security protocols and ciphers can 
> allow attackers to decrypt and view sensitive information transferred between 
> the server and the client. They need to be positioned between the client and 
> server in order to intercept messages.{code}
> *Recommendation*
> {code:java}
> Use TLSv1.2 with strong cipher suites (=> 128 bits) for all communications 
> between the client and server.{code}
>  
> spark-defaults.conf of below applied:
> spark.ssl.enabled true
> spark.ssl.keyStore /home/ec2-user/spark_home/conf/redact.jks
> spark.ssl.trustStore /home/ec2-user/spark_home/conf/redact-trust-nonprd.jks
> spark.ssl.enabledAlgorithms 
> ECDHE-RSA-AES256-SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
> spark.ssl.protocol TLSv1.2
> spark.ssl.trustStoreType JKS
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org

Reply via email to