Hi!

Thank you for reporting this!

At the moment, the Flink REST endpoint is not secure in the way that you
can expose it publicly. After all, you can submit Flink jobs to it which by
definition support executing arbitrary code.
Given that access to the REST endpoint allows by design arbitrary code
execution (running a Flink job), these reported vulnerabilities are
probably not as critical.

In light of that, the REST endpoint needs to be exposed in a secure way
(SSL mutual auth, an authenticating proxy, etc.).

Nevertheless, let us see whether we can update at least the web UI
dependencies to newer versions which are not subject to these exploits, to
take a step towards making the REST endpoint more suitable to be public
facing.

Best,
Stephan



On Sun, Aug 11, 2019 at 6:20 PM V N, Suchithra (Nokia - IN/Bangalore) <
suchithra....@nokia.com> wrote:

> Hello,
>
>
>
> We are using Apache Flink 1.7.2 version. During our security scans
> following issues are reported by our scan tool. Please let us know your
> comments on these issues.
>
>
>
> *[1] 150085 Slow HTTP POST vulnerability*
>
> *Severity *Potential Vulnerability - Level 3
>
> *Group *Information Disclosure
>
>
>
> *Threat*
>
> The web application is possibly vulnerable to a "slow HTTP POST" Denial of
> Service (DoS) attack. This is an application-level DoS that consumes server
>
> resources by maintaining open connections for an extended period of time
> by slowly sending traffic to the server. If the server maintains too many
> connections
>
> open at once, then it may not be able to respond to new, legitimate
> connections.
>
>
>
> *#1 Request*
>
> *Payload *N/A
>
> *Request *POST https://<ip>:<port>/
>
> #1 Host: <ip>:<port>
>
> #3 Accept: */*
>
> #4 Content-Type: application/x-www-form-urlencoded
>
>
>
> *#1 Response*
>
> Vulnerable to slow HTTP POST attack
>
> Connection with partial POST body remained open for: 312932 milliseconds
>
>
>
> *[2] 150124 Clickjacking - Framable Page (10)*
>
> *Severity *Confirmed Vulnerability - Level 3
>
> *Group *Information Disclosure
>
> *CVSS Base *6.4 *CVSS Temporal*5.8
>
>
>
> *Threat*
>
> The web page can be framed. This means that clickjacking attacks against
> users are possible.
>
>
>
> *#1 Request*
>
> *Payload *N/A
>
> *Request *GET https://<ip>:<port>/
>
> #1 Host: <ip>:<port>
>
> #3 Accept: */*
>
>
>
> *#1 Response*
>
> The URI was framed.
>
>
>
> Below url’s have also reported the same issues and response was same.
>
>
>
> *Request *GET https://<ip>:<port>/partials/jobs/running-jobs.html
>
> *Request *GET https://<ip>:<port>/partials/submit.html
>
> *Request *GET https://<ip>:<port>/partials/jobmanager/stdout.html
>
> *Request *GET https://<ip>:<port>/partials/jobs/completed-jobs.html
>
> *Request *GET https://<ip>:<port>/partials/taskmanager/index.html
>
> *Request *GET https://<ip>:<port>/partials/jobmanager/log.html
> <https://10.75.119.114:32007/partials/jobmanager/log.html>
>
> *Request *GET https://<ip>:<port>/partials/jobmanager/index.html
>
> *Request *GET https://<ip.:<port>/partials/overview.html
>
> *Request *GET https://<ip>:<port>/partials/jobmanager/config.html
>
>
>
> *[3] 150162 Use of JavaScript Library with Known Vulnerability (4)*
>
>
>
> *Threat*
>
> The web application is using a JavaScript library that is known to contain
> at least one vulnerability.
>
>
>
> *#1 Request*
>
> *Payload *-
>
> *Request *GET https://<ip>:<port>/
>
> #1 Host: <ip>:<port>
>
> #3 Accept: */*
>
>
>
> *#1 Response*
>
> *Vulnerable javascript library: jQuery*
>
> *version: 2.2.0*
>
> Details:
>
> CVE-2015-9251: jQuery versions on or above 1.4.0 and below 1.12.0 (version
> 1.12.3 and above but below 3.0.0-beta1 as well) are vulnerable to XSS via
> 3rd party text/javascript responses(3rd party
>
> CORS request may execute). (https://github.com/jquery/jquery/issues/2432).
>
> Solution: jQuery version 3.0.0 has been released to address the issue (
> http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/). Please
> refer to vendor documentation (https://blog.jquery.com/)
>
> for the latest security updates.
>
>
>
> Found on the following pages (only first 10 pages are reported):
>
> https://<ip>:<port>/
>
> https://<ip>:<port>/#/completed-jobs
>
> https://<ip>:<port>/#/jobmanager/config
>
> https://<ip>:<port>/#/overview
>
> https://<ip>:<port>/#/running-jobs
>
> https://<ip>:<port>/#/submit
>
> https://<ip>:<port>/#/taskmanagers
>
> https://<ip>:<port>/#/jobmanager/log
>
> https://<ip>:<port>/#/jobmanager/stdout
>
> https://<ip>:<port>/#/taskmanager/100474b27dcd8eeb9f3ff38c952977c9/log
>
>
>
>
>
> *#1 Response*
>
> *Vulnerable javascript library: Angular*
>
> *version: 1.4.8*
>
> Details:
>
> In angular versions below 1.6.5 both Firefox and Safari are vulnerable to
> XSS in $sanitize if an inert document created via
> `document.implementation.createHTMLDocument()` is used. Angular version
>
> 1.6.5 checks for these vulnerabilities and then use a DOMParser or XHR
> strategy if needed. Please refer to vendor documentation (
> https://github.com/angular/angular.js/commit/
>
> 8f31f1ff43b673a24f84422d5c13d6312b2c4d94) for latest security updates.
>
> Found on the following pages (only first 10 pages are reported):
>
> https://<ip>:<port>/
>
> https://<ip>:<port>/#/completed-jobs
>
> https://<ip>:<port>/#/jobmanager/config
>
> https://<ip>:<port>/#/overview
>
> https://<ip>:<port>/#/running-jobs
>
> https://<ip>:<port>/#/submit
>
> https://<ip>:<port>/#/taskmanagers
>
> https://<ip>:<port>/#/jobmanager/log
>
> https://<ip>:<port>/#/jobmanager/stdout
>
> https://<ip>:<port>/#/taskmanager/100474b27dcd8eeb9f3ff38c952977c9/log
> <https://10.75.119.114:32007/#/taskmanager/100474b27dcd8eeb9f3ff38c952977c9/log>
>
>
>
> *#1 Response*
>
> *Vulnerable javascript library: Bootstrap*
>
> *version: 3.3.6*
>
> Details:
>
> The data-target attribute in bootstrap versions below 3.4.0 is vulnerable
> to Cross-Site Scripting(XSS) attacks. Please refer to vendor documentation (
> https://github.com/twbs/bootstrap/pull/23687, https://
>
> github.com/twbs/bootstrap/issues/20184) for the latest security updates.
>
> ----------------------------------------------
>
> CVE-2019-8331: In bootstrap versions before 3.4.1, data-template,
> data-content and data-title properties of tooltip or popover are vulnerable
> to Cross-Site Scripting(XSS) attacks. Please refer to vendor
>
> documentation (https://github.com/twbs/bootstrap/issues/28236) for latest
> security updates.
>
> Found on the following pages (only first 10 pages are reported):
>
> https://<ip>:<port>/
>
> https://<ip>:<port>/#/completed-jobs
>
> https://<ip>:<port>/#/jobmanager/config
>
> https://<ip>:<port>/#/overview
>
> https://<ip>:<port>/#/running-jobs
>
> https://<ip>:<port>/#/submit
>
> https://<ip>:<port>/#/taskmanagers
>
> https://<ip>:<port>/#/jobmanager/log
>
> https://<ip>:<port>/#/jobmanager/stdout
>
> https://<ip>:<port>/#/taskmanager/100474b27dcd8eeb9f3ff38c952977c9/log
> <https://10.75.119.114:32007/#/taskmanager/100474b27dcd8eeb9f3ff38c952977c9/log>
>
>
>
> *Vulnerable javascript library: moment*
>
> *version: 2.10.6*
>
> Details:
>
> CVE-2016-4055: moment versions below 2.11.2 are vulnerable to regular
> expression denial of service when user input is passed unchecked into
> moment.duration() blocking the event loop for a period
>
> of time.(https://github.com/moment/moment/issues/2936).
>
> Solution: moment version 2.11.2 has been released to address the issue.
> Please refer to vendor documentation (
> https://github.com/moment/moment/blob/develop/CHANGELOG.md,
> https://nvd.nist.gov/
>
> vuln/detail/CVE-2016-4055 ) for latest security updates.
>
> Found on the following pages (only first 10 pages are reported):
>
> https://<ip>:<port>/
>
> https://<ip>:<port>/#/completed-jobs
>
> https://<ip>:<port>/#/jobmanager/config
>
> https://<ip>:<port>/#/overview
>
> https://<ip>:<port>/#/running-jobs
>
> https://<ip>:<port>/#/submit
>
> https://<ip>:<port>/#/taskmanagers
>
> https://<ip>:<port>/#/jobmanager/log
>
> https://<ip>:<port>/#/jobmanager/stdout
>
> https://<ip>:<port>/#/taskmanager/100474b27dcd8eeb9f3ff38c952977c9/log
>
>
>
>
>
> *[4] 150081 X-Frame-Options header is not set **(10)*
>
> *Severity *Potential Vulnerability - Level 1
>
> *Group *Information Disclosure
>
> *CVSS Base *5 *CVSS Temporal*4.1
>
>
>
> *Threat*
>
> The X-Frame-Options header is not set in the HTTP response, which may lead
> to a possible framing of the page. An attacker can trick users into
> clicking on a
>
> malicious link by framing the original page and showing a layer on top of
> it with legitimate-looking buttons.
>
>
>
> *#1 Request*
>
> *Payload *N/A
>
> *Request *GET https://<ip>:<port>/
>
> #1 Host: <ip>:<port>
>
> #3 Accept: */*
>
>
>
> *#1 Response*
>
> The response for this request either did not have an "X-FRAME-OPTIONS"
> header present or was not set to DENY or SAMEORIGIN
>
>
>
> *Request *GET https://<ip>:<port>/partials/jobs/running-jobs.html
> <https://10.75.119.114:32007/partials/jobs/running-jobs.html>
>
> *Request *GET https://<ip>:<port>/partials/submit.html
> <https://10.75.119.114:32007/partials/submit.html>
>
> *Request *GET https://<ip>:<port>/partials/jobmanager/stdout.html
> <https://10.75.119.114:32007/partials/jobmanager/stdout.html>
>
> *Request *GET https://<ip>:<port>/partials/jobs/completed-jobs.html
> <https://10.75.119.114:32007/partials/jobs/completed-jobs.html>
>
> *Request *GET https://<ip>:<port>/partials/taskmanager/index.html
> <https://10.75.119.114:32007/partials/taskmanager/index.html>
>
> *Request *GET https://<ip>:<port>/partials/jobmanager/log.html
> <https://10.75.119.114:32007/partials/jobmanager/log.html>
>
> *Request *GET https://<ip>:<port>/partials/jobmanager/index.html
> <https://10.75.119.114:32007/partials/jobmanager/index.html>
>
> *Request *GET https://<ip>:<port>/partials/overview.html
> <https://10.75.119.114:32007/partials/overview.html>
>
> *Request *GET https://<ip>:<port>/partials/jobmanager/config.html
> <https://10.75.119.114:32007/partials/jobmanager/config.html>
>
>
>
>
>
> *[5] 150202 Missing header: X-Content-Type-Options*
>
> *Severity *Information Gathered - Level 2
>
> *Group *Information Gathered
>
>
>
> *Threat*
>
> The X-Content-Type-Options response header is not present. WAS reports
> missing X-Content-Type-Options header on each crawled link with all types
> of static
>
> and dynamic response. The scanner performs the check on 4xx and 5xx
> responses too. It's possible to see a directory link reported for QID as
> well.
>
>
>
> X-Content-Type-Options: Header missing
>
> Response headers on link: GET https://<ip>:<port>/ response code: 200
>
> Content-Type: text/html
>
> Date: Fri, 05 Jul 2019 01:22:22 GMT
>
> Expires: Fri, 05 Jul 2019 01:27:22 GMT
>
> Cache-Control: private, max-age=300
>
> Last-Modified: Mon, 01 Jul 2019 09:45:33 GMT
>
> Connection: keep-alive
>
> Content-Length: 3306
>
> Header missing on the following link(s):
>
> (Only first 50 such pages are listed)
>
> GET https://<ip>:<port>/ response code: 200
>
> GET https://<ip>:<port>/images/safari-pinned-tab.svg response code: 200
>
> GET https://<ip>:<port>/js/index.js response code: 200
>
> GET https://<ip>:<port>/images/favicon-32x32.png response code: 200
>
> GET https://<ip>:<port>/images/apple-touch-icon.png response code: 200
>
> GET https://<ip>:<port>/images/favicon.ico response code: 200
>
> GET https://<ip>:<port>/js/vendor.js response code: 200
>
> GET https://<ip>:<port>/css/vendor.css response code: 200
>
> GET https://<ip>:<port>/css/index.css response code: 200
>
> GET https://<ip>:<port>/images/favicon-16x16.png response code: 200
>
> GET https://<ip>:<port>/images/manifest.json response code: 200
>
> GET https://<ip>:<port>/config response code: 200
>
> GET https://<ip>:<port>/fonts/fontawesome-webfont.ttf?v=4.5.0 response
> code: 200
>
> GET https://<ip>:<port>/fonts/fontawesome-webfont.woff2?v=4.5.0 response
> code: 200
>
> GET https://<ip>:<port>/fonts/fontawesome-webfont.woff?v=4.5.0 response
> code: 200
>
> GET https://<ip>:<port>/jobs/overview response code: 200
>
> GET https://<ip>:<port>/overview response code: 200
>
> GET https://<ip>:<port>/partials/overview.html response code: 200
>
> GET https://<ip>:<port>/favicon.ico response code: 404
>
> GET https://<ip>:<port>/partials/jobs/completed-jobs.html response code:
> 200
>
> GET https://<ip>:<port>/jobmanager/config response code: 200
>
> GET https://<ip>:<port>/partials/jobmanager/config.html response code: 200
>
> GET https://<ip>:<port>/partials/jobmanager/index.html response code: 200
>
> GET https://<ip>:<port>/partials/jobs/running-jobs.html response code: 200
>
> GET https://<ip>:<port>/jars/ response code: 200
>
> GET https://<ip>:<port>/partials/submit.html response code: 200
>
> GET https://<ip>:<port>/partials/taskmanager/index.html response code: 200
>
> GET https://<ip>:<port>/taskmanagers response code: 200
>
> GET https://<ip>:<port>/jobmanager/log response code: 200
>
> GET https://<ip>:<port>/partials/jobmanager/log.html response code: 200
>
> GET https://<ip>:<port>/jobmanager/stdout response code: 200
>
> GET https://<ip>:<port>/partials/jobmanager/stdout.html response code: 200
>
> GET https://<ip>:<port>/partials/%257B%257B'%23/jobs/'%20+%20jid%7D%7D
> response code: 404
>
> GET https://<ip>:<port>/partials/taskmanager/taskmanager.html response
> code: 200
>
> GET https://<ip>:<port>/partials/taskmanager/taskmanager.metrics.html
> response code: 200
>
> GET https://<ip>:<port>/taskmanagers/100474b27dcd8eeb9f3ff38c952977c9
> response code: 200
>
> GET https://<ip>:<port>/partials/jobmanager/jobmanager/log response code:
> 404
>
> GET https://<ip>:<port>/partials/jobmanager/jobmanager/stdout response
> code: 404
>
> GET https://<ip>:<port>/taskmanagers/100474b27dcd8eeb9f3ff38c952977c9/log
> response code: 500
>
> GET https://<ip>:<port>/partials/taskmanager/taskmanager.log.html
> response code: 200
>
> GET https://<ip>:<port>/taskmanagers/100474b27dcd8eeb9f3ff38c952977c9/stdout
> response code: 500
>
> GET https://<ip>:<port>/partials/taskmanager/taskmanager.stdout.html
> response code: 200
>
> GET 
> https://<ip>:<port>/partials/taskmanager/taskmanagers/%7B%7Btaskmanagerid%7D%7D/log
> response code: 404
>
> GET 
> https://<ip>:<port>/partials/taskmanager/taskmanagers/%257B%257Btaskmanagerid%257D%257D/log
> response code: 404
>
> GET 
> https://<ip>:<port>/partials/taskmanager/taskmanagers/%7B%7Btaskmanagerid%7D%7D/stdout
> response code: 404
>
> GET 
> https://<ip>:<port>/partials/taskmanager/taskmanagers/%257B%257Btaskmanagerid%257D%257D/stdout
> response code: 404
>
>
>
>
>
> *[6] 150204 Missing header: X-XSS-Protection*
>
> *Severity *Information Gathered - Level 1
>
> *Group *Information Gathered
>
>
>
> *Threat*
>
> The X-XSS-Protection response header is not present.
>
>
>
> X-Xss-Protection: Header missing
>
> Response headers on link: GET https://<ip>:<port>/ response code: 200
>
> Content-Type: text/html
>
> Date: Fri, 05 Jul 2019 01:22:22 GMT
>
> Expires: Fri, 05 Jul 2019 01:27:22 GMT
>
> Cache-Control: private, max-age=300
>
> Last-Modified: Mon, 01 Jul 2019 09:45:33 GMT
>
> Connection: keep-alive
>
> Content-Length: 3306
>
> Header missing on the following link(s):
>
> (Only first 50 such pages are listed)
>
> GET https://<ip>:<port>/ response code: 200
>
> GET https://<ip>:<port>/partials/overview.html response code: 200
>
> GET https://<ip>:<port>/partials/jobs/completed-jobs.html response code:
> 200
>
> GET https://<ip>:<port>/partials/jobmanager/config.html response code: 200
>
> GET https://<ip>:<port>/partials/jobmanager/index.html response code: 200
>
> GET https://<ip>:<port>/partials/jobs/running-jobs.html response code: 200
>
> GET https://<ip>:<port>/partials/submit.html response code: 200
>
> GET https://<ip>:<port>/partials/taskmanager/index.html response code: 200
>
> GET https://<ip>:<port>/jobmanager/log response code: 200
>
> GET https://<ip>:<port>/partials/jobmanager/log.html response code: 200
>
> GET https://<ip>:<port>/jobmanager/stdout response code: 200
>
>
>
>
>
> *[7] 150135 HTTP Strict Transport Security (HSTS) header
> missing/misconfigured.*
>
> *Severity *Information Gathered - Level 1
>
> *Group *Information Gathered
>
>
>
> *Threat*
>
> HTTP Strict Transport Security (HSTS) header found to be missing or
> misconfigured. HSTS header dictates to a conforming browser that the
> current and all
>
> subsequent connections (for a configurable amount of time) to the subject
> website should only be performed over a secure transport layer.
> Additionally, users are
>
> not permitted to bypass SSL/TLS certificate errors; preventing browser
> click-throughs in the event of expired or otherwise untrusted certificates.
>
>
>
> Strict Transport Security header missing for
>
> https://<ip>:<port>/
>
>
>
>
>
> Regards,
>
> Suchithra
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>

Reply via email to