Hello,

We are using Apache Flink 1.7.2 version. During our security scans following 
issues are reported by our scan tool. Please let us know your comments on these 
issues.

[1] 150085 Slow HTTP POST vulnerability
Severity Potential Vulnerability - Level 3
Group Information Disclosure

Threat
The web application is possibly vulnerable to a "slow HTTP POST" Denial of 
Service (DoS) attack. This is an application-level DoS that consumes server
resources by maintaining open connections for an extended period of time by 
slowly sending traffic to the server. If the server maintains too many 
connections
open at once, then it may not be able to respond to new, legitimate connections.

#1 Request
Payload N/A
Request POST https://<ip>:<port>/<https://%3cip%3e:%3cport%3e/>
#1 Host: <ip>:<port>
#3 Accept: */*
#4 Content-Type: application/x-www-form-urlencoded

#1 Response
Vulnerable to slow HTTP POST attack
Connection with partial POST body remained open for: 312932 milliseconds

[2] 150124 Clickjacking - Framable Page (10)
Severity Confirmed Vulnerability - Level 3
Group Information Disclosure
CVSS Base 6.4 CVSS Temporal5.8

Threat
The web page can be framed. This means that clickjacking attacks against users 
are possible.

#1 Request
Payload N/A
Request GET https://<ip>:<port>/<https://%3cip%3e:%3cport%3e/>
#1 Host: <ip>:<port>
#3 Accept: */*

#1 Response
The URI was framed.

Below url's have also reported the same issues and response was same.

Request GET 
https://<ip>:<port>/partials/jobs/running-jobs.html<https://%3cip%3e:%3cport%3e/partials/jobs/running-jobs.html>
Request GET 
https://<ip>:<port>/partials/submit.html<https://%3cip%3e:%3cport%3e/partials/submit.html>
Request GET 
https://<ip>:<port>/partials/jobmanager/stdout.html<https://%3cip%3e:%3cport%3e/partials/jobmanager/stdout.html>
Request GET 
https://<ip>:<port>/partials/jobs/completed-jobs.html<https://%3cip%3e:%3cport%3e/partials/jobs/completed-jobs.html>
Request GET 
https://<ip>:<port>/partials/taskmanager/index.html<https://%3cip%3e:%3cport%3e/partials/taskmanager/index.html>
Request GET 
https://<ip>:<port>/partials/jobmanager/log.html<https://10.75.119.114:32007/partials/jobmanager/log.html>
Request GET 
https://<ip>:<port>/partials/jobmanager/index.html<https://%3cip%3e:%3cport%3e/partials/jobmanager/index.html>
Request GET 
https://<ip.:<port>/partials/overview.html<https://%3cip.:%3cport%3e/partials/overview.html>
Request GET 
https://<ip>:<port>/partials/jobmanager/config.html<https://%3cip%3e:%3cport%3e/partials/jobmanager/config.html>

[3] 150162 Use of JavaScript Library with Known Vulnerability (4)

Threat
The web application is using a JavaScript library that is known to contain at 
least one vulnerability.

#1 Request
Payload -
Request GET https://<ip>:<port>/<https://%3cip%3e:%3cport%3e/>
#1 Host: <ip>:<port>
#3 Accept: */*

#1 Response
Vulnerable javascript library: jQuery
version: 2.2.0
Details:
CVE-2015-9251: jQuery versions on or above 1.4.0 and below 1.12.0 (version 
1.12.3 and above but below 3.0.0-beta1 as well) are vulnerable to XSS via 3rd 
party text/javascript responses(3rd party
CORS request may execute). (https://github.com/jquery/jquery/issues/2432).
Solution: jQuery version 3.0.0 has been released to address the issue 
(http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/). Please refer 
to vendor documentation (https://blog.jquery.com/)
for the latest security updates.

Found on the following pages (only first 10 pages are reported):
https://<ip>:<port>/<https://%3cip%3e:%3cport%3e/>
https://<ip>:<port>/#/completed-jobs<https://%3cip%3e:%3cport%3e/#/completed-jobs>
https://<ip>:<port>/#/jobmanager/config<https://%3cip%3e:%3cport%3e/#/jobmanager/config>
https://<ip>:<port>/#/overview<https://%3cip%3e:%3cport%3e/#/overview>
https://<ip>:<port>/#/running-jobs<https://%3cip%3e:%3cport%3e/#/running-jobs>
https://<ip>:<port>/#/submit<https://%3cip%3e:%3cport%3e/#/submit>
https://<ip>:<port>/#/taskmanagers<https://%3cip%3e:%3cport%3e/#/taskmanagers>
https://<ip>:<port>/#/jobmanager/log<https://%3cip%3e:%3cport%3e/#/jobmanager/log>
https://<ip>:<port>/#/jobmanager/stdout<https://%3cip%3e:%3cport%3e/#/jobmanager/stdout>
https://<ip>:<port>/#/taskmanager/100474b27dcd8eeb9f3ff38c952977c9/log<https://%3cip%3e:%3cport%3e/#/taskmanager/100474b27dcd8eeb9f3ff38c952977c9/log>


#1 Response
Vulnerable javascript library: Angular
version: 1.4.8
Details:
In angular versions below 1.6.5 both Firefox and Safari are vulnerable to XSS 
in $sanitize if an inert document created via 
`document.implementation.createHTMLDocument()` is used. Angular version
1.6.5 checks for these vulnerabilities and then use a DOMParser or XHR strategy 
if needed. Please refer to vendor documentation 
(https://github.com/angular/angular.js/commit/
8f31f1ff43b673a24f84422d5c13d6312b2c4d94) for latest security updates.
Found on the following pages (only first 10 pages are reported):
https://<ip>:<port>/<https://%3cip%3e:%3cport%3e/>
https://<ip>:<port>/#/completed-jobs<https://%3cip%3e:%3cport%3e/#/completed-jobs>
https://<ip>:<port>/#/jobmanager/config<https://%3cip%3e:%3cport%3e/#/jobmanager/config>
https://<ip>:<port>/#/overview<https://%3cip%3e:%3cport%3e/#/overview>
https://<ip>:<port>/#/running-jobs<https://%3cip%3e:%3cport%3e/#/running-jobs>
https://<ip>:<port>/#/submit<https://%3cip%3e:%3cport%3e/#/submit>
https://<ip>:<port>/#/taskmanagers<https://%3cip%3e:%3cport%3e/#/taskmanagers>
https://<ip>:<port>/#/jobmanager/log<https://%3cip%3e:%3cport%3e/#/jobmanager/log>
https://<ip>:<port>/#/jobmanager/stdout<https://%3cip%3e:%3cport%3e/#/jobmanager/stdout>
https://<ip>:<port>/#/taskmanager/100474b27dcd8eeb9f3ff38c952977c9/log<https://10.75.119.114:32007/#/taskmanager/100474b27dcd8eeb9f3ff38c952977c9/log>

#1 Response
Vulnerable javascript library: Bootstrap
version: 3.3.6
Details:
The data-target attribute in bootstrap versions below 3.4.0 is vulnerable to 
Cross-Site Scripting(XSS) attacks. Please refer to vendor documentation 
(https://github.com/twbs/bootstrap/pull/23687, https://
github.com/twbs/bootstrap/issues/20184) for the latest security updates.
----------------------------------------------
CVE-2019-8331: In bootstrap versions before 3.4.1, data-template, data-content 
and data-title properties of tooltip or popover are vulnerable to Cross-Site 
Scripting(XSS) attacks. Please refer to vendor
documentation (https://github.com/twbs/bootstrap/issues/28236) for latest 
security updates.
Found on the following pages (only first 10 pages are reported):
https://<ip>:<port>/<https://%3cip%3e:%3cport%3e/>
https://<ip>:<port>/#/completed-jobs<https://%3cip%3e:%3cport%3e/#/completed-jobs>
https://<ip>:<port>/#/jobmanager/config<https://%3cip%3e:%3cport%3e/#/jobmanager/config>
https://<ip>:<port>/#/overview<https://%3cip%3e:%3cport%3e/#/overview>
https://<ip>:<port>/#/running-jobs<https://%3cip%3e:%3cport%3e/#/running-jobs>
https://<ip>:<port>/#/submit<https://%3cip%3e:%3cport%3e/#/submit>
https://<ip>:<port>/#/taskmanagers<https://%3cip%3e:%3cport%3e/#/taskmanagers>
https://<ip>:<port>/#/jobmanager/log<https://%3cip%3e:%3cport%3e/#/jobmanager/log>
https://<ip>:<port>/#/jobmanager/stdout<https://%3cip%3e:%3cport%3e/#/jobmanager/stdout>
https://<ip>:<port>/#/taskmanager/100474b27dcd8eeb9f3ff38c952977c9/log<https://10.75.119.114:32007/#/taskmanager/100474b27dcd8eeb9f3ff38c952977c9/log>

Vulnerable javascript library: moment
version: 2.10.6
Details:
CVE-2016-4055: moment versions below 2.11.2 are vulnerable to regular 
expression denial of service when user input is passed unchecked into 
moment.duration() blocking the event loop for a period
of time.(https://github.com/moment/moment/issues/2936).
Solution: moment version 2.11.2 has been released to address the issue. Please 
refer to vendor documentation 
(https://github.com/moment/moment/blob/develop/CHANGELOG.md, 
https://nvd.nist.gov/
vuln/detail/CVE-2016-4055 ) for latest security updates.
Found on the following pages (only first 10 pages are reported):
https://<ip>:<port>/<https://%3cip%3e:%3cport%3e/>
https://<ip>:<port>/#/completed-jobs<https://%3cip%3e:%3cport%3e/#/completed-jobs>
https://<ip>:<port>/#/jobmanager/config<https://%3cip%3e:%3cport%3e/#/jobmanager/config>
https://<ip>:<port>/#/overview<https://%3cip%3e:%3cport%3e/#/overview>
https://<ip>:<port>/#/running-jobs<https://%3cip%3e:%3cport%3e/#/running-jobs>
https://<ip>:<port>/#/submit<https://%3cip%3e:%3cport%3e/#/submit>
https://<ip>:<port>/#/taskmanagers<https://%3cip%3e:%3cport%3e/#/taskmanagers>
https://<ip>:<port>/#/jobmanager/log<https://%3cip%3e:%3cport%3e/#/jobmanager/log>
https://<ip>:<port>/#/jobmanager/stdout<https://%3cip%3e:%3cport%3e/#/jobmanager/stdout>
https://<ip>:<port>/#/taskmanager/100474b27dcd8eeb9f3ff38c952977c9/log<https://%3cip%3e:%3cport%3e/#/taskmanager/100474b27dcd8eeb9f3ff38c952977c9/log>


[4] 150081 X-Frame-Options header is not set (10)
Severity Potential Vulnerability - Level 1
Group Information Disclosure
CVSS Base 5 CVSS Temporal4.1

Threat
The X-Frame-Options header is not set in the HTTP response, which may lead to a 
possible framing of the page. An attacker can trick users into clicking on a
malicious link by framing the original page and showing a layer on top of it 
with legitimate-looking buttons.

#1 Request
Payload N/A
Request GET https://<ip>:<port>/<https://%3cip%3e:%3cport%3e/>
#1 Host: <ip>:<port>
#3 Accept: */*

#1 Response
The response for this request either did not have an "X-FRAME-OPTIONS" header 
present or was not set to DENY or SAMEORIGIN

Request GET 
https://<ip>:<port>/partials/jobs/running-jobs.html<https://10.75.119.114:32007/partials/jobs/running-jobs.html>
Request GET 
https://<ip>:<port>/partials/submit.html<https://10.75.119.114:32007/partials/submit.html>
Request GET 
https://<ip>:<port>/partials/jobmanager/stdout.html<https://10.75.119.114:32007/partials/jobmanager/stdout.html>
Request GET 
https://<ip>:<port>/partials/jobs/completed-jobs.html<https://10.75.119.114:32007/partials/jobs/completed-jobs.html>
Request GET 
https://<ip>:<port>/partials/taskmanager/index.html<https://10.75.119.114:32007/partials/taskmanager/index.html>
Request GET 
https://<ip>:<port>/partials/jobmanager/log.html<https://10.75.119.114:32007/partials/jobmanager/log.html>
Request GET 
https://<ip>:<port>/partials/jobmanager/index.html<https://10.75.119.114:32007/partials/jobmanager/index.html>
Request GET 
https://<ip>:<port>/partials/overview.html<https://10.75.119.114:32007/partials/overview.html>
Request GET 
https://<ip>:<port>/partials/jobmanager/config.html<https://10.75.119.114:32007/partials/jobmanager/config.html>


[5] 150202 Missing header: X-Content-Type-Options
Severity Information Gathered - Level 2
Group Information Gathered

Threat
The X-Content-Type-Options response header is not present. WAS reports missing 
X-Content-Type-Options header on each crawled link with all types of static
and dynamic response. The scanner performs the check on 4xx and 5xx responses 
too. It's possible to see a directory link reported for QID as well.

X-Content-Type-Options: Header missing
Response headers on link: GET 
https://<ip>:<port>/<https://%3cip%3e:%3cport%3e/> response code: 200
Content-Type: text/html
Date: Fri, 05 Jul 2019 01:22:22 GMT
Expires: Fri, 05 Jul 2019 01:27:22 GMT
Cache-Control: private, max-age=300
Last-Modified: Mon, 01 Jul 2019 09:45:33 GMT
Connection: keep-alive
Content-Length: 3306
Header missing on the following link(s):
(Only first 50 such pages are listed)
GET https://<ip>:<port>/<https://%3cip%3e:%3cport%3e/> response code: 200
GET 
https://<ip>:<port>/images/safari-pinned-tab.svg<https://%3cip%3e:%3cport%3e/images/safari-pinned-tab.svg>
 response code: 200
GET https://<ip>:<port>/js/index.js<https://%3cip%3e:%3cport%3e/js/index.js> 
response code: 200
GET 
https://<ip>:<port>/images/favicon-32x32.png<https://%3cip%3e:%3cport%3e/images/favicon-32x32.png>
 response code: 200
GET 
https://<ip>:<port>/images/apple-touch-icon.png<https://%3cip%3e:%3cport%3e/images/apple-touch-icon.png>
 response code: 200
GET 
https://<ip>:<port>/images/favicon.ico<https://%3cip%3e:%3cport%3e/images/favicon.ico>
 response code: 200
GET https://<ip>:<port>/js/vendor.js<https://%3cip%3e:%3cport%3e/js/vendor.js> 
response code: 200
GET 
https://<ip>:<port>/css/vendor.css<https://%3cip%3e:%3cport%3e/css/vendor.css> 
response code: 200
GET 
https://<ip>:<port>/css/index.css<https://%3cip%3e:%3cport%3e/css/index.css> 
response code: 200
GET 
https://<ip>:<port>/images/favicon-16x16.png<https://%3cip%3e:%3cport%3e/images/favicon-16x16.png>
 response code: 200
GET 
https://<ip>:<port>/images/manifest.json<https://%3cip%3e:%3cport%3e/images/manifest.json>
 response code: 200
GET https://<ip>:<port>/config<https://%3cip%3e:%3cport%3e/config> response 
code: 200
GET 
https://<ip>:<port>/fonts/fontawesome-webfont.ttf?v=4.5.0<https://%3cip%3e:%3cport%3e/fonts/fontawesome-webfont.ttf?v=4.5.0>
 response code: 200
GET 
https://<ip>:<port>/fonts/fontawesome-webfont.woff2?v=4.5.0<https://%3cip%3e:%3cport%3e/fonts/fontawesome-webfont.woff2?v=4.5.0>
 response code: 200
GET 
https://<ip>:<port>/fonts/fontawesome-webfont.woff?v=4.5.0<https://%3cip%3e:%3cport%3e/fonts/fontawesome-webfont.woff?v=4.5.0>
 response code: 200
GET 
https://<ip>:<port>/jobs/overview<https://%3cip%3e:%3cport%3e/jobs/overview> 
response code: 200
GET https://<ip>:<port>/overview<https://%3cip%3e:%3cport%3e/overview> response 
code: 200
GET 
https://<ip>:<port>/partials/overview.html<https://%3cip%3e:%3cport%3e/partials/overview.html>
 response code: 200
GET https://<ip>:<port>/favicon.ico<https://%3cip%3e:%3cport%3e/favicon.ico> 
response code: 404
GET 
https://<ip>:<port>/partials/jobs/completed-jobs.html<https://%3cip%3e:%3cport%3e/partials/jobs/completed-jobs.html>
 response code: 200
GET 
https://<ip>:<port>/jobmanager/config<https://%3cip%3e:%3cport%3e/jobmanager/config>
 response code: 200
GET 
https://<ip>:<port>/partials/jobmanager/config.html<https://%3cip%3e:%3cport%3e/partials/jobmanager/config.html>
 response code: 200
GET 
https://<ip>:<port>/partials/jobmanager/index.html<https://%3cip%3e:%3cport%3e/partials/jobmanager/index.html>
 response code: 200
GET 
https://<ip>:<port>/partials/jobs/running-jobs.html<https://%3cip%3e:%3cport%3e/partials/jobs/running-jobs.html>
 response code: 200
GET https://<ip>:<port>/jars/<https://%3cip%3e:%3cport%3e/jars/> response code: 
200
GET 
https://<ip>:<port>/partials/submit.html<https://%3cip%3e:%3cport%3e/partials/submit.html>
 response code: 200
GET 
https://<ip>:<port>/partials/taskmanager/index.html<https://%3cip%3e:%3cport%3e/partials/taskmanager/index.html>
 response code: 200
GET https://<ip>:<port>/taskmanagers<https://%3cip%3e:%3cport%3e/taskmanagers> 
response code: 200
GET 
https://<ip>:<port>/jobmanager/log<https://%3cip%3e:%3cport%3e/jobmanager/log> 
response code: 200
GET 
https://<ip>:<port>/partials/jobmanager/log.html<https://%3cip%3e:%3cport%3e/partials/jobmanager/log.html>
 response code: 200
GET 
https://<ip>:<port>/jobmanager/stdout<https://%3cip%3e:%3cport%3e/jobmanager/stdout>
 response code: 200
GET 
https://<ip>:<port>/partials/jobmanager/stdout.html<https://%3cip%3e:%3cport%3e/partials/jobmanager/stdout.html>
 response code: 200
GET 
https://<ip>:<port>/partials/%257B%257B'%23/jobs/'%20+%20jid%7D%7D<https://%3cip%3e:%3cport%3e/partials/%257B%257B'%23/jobs/'%20+%20jid%7D%7D>
 response code: 404
GET 
https://<ip>:<port>/partials/taskmanager/taskmanager.html<https://%3cip%3e:%3cport%3e/partials/taskmanager/taskmanager.html>
 response code: 200
GET 
https://<ip>:<port>/partials/taskmanager/taskmanager.metrics.html<https://%3cip%3e:%3cport%3e/partials/taskmanager/taskmanager.metrics.html>
 response code: 200
GET 
https://<ip>:<port>/taskmanagers/100474b27dcd8eeb9f3ff38c952977c9<https://%3cip%3e:%3cport%3e/taskmanagers/100474b27dcd8eeb9f3ff38c952977c9>
 response code: 200
GET 
https://<ip>:<port>/partials/jobmanager/jobmanager/log<https://%3cip%3e:%3cport%3e/partials/jobmanager/jobmanager/log>
 response code: 404
GET 
https://<ip>:<port>/partials/jobmanager/jobmanager/stdout<https://%3cip%3e:%3cport%3e/partials/jobmanager/jobmanager/stdout>
 response code: 404
GET 
https://<ip>:<port>/taskmanagers/100474b27dcd8eeb9f3ff38c952977c9/log<https://%3cip%3e:%3cport%3e/taskmanagers/100474b27dcd8eeb9f3ff38c952977c9/log>
 response code: 500
GET 
https://<ip>:<port>/partials/taskmanager/taskmanager.log.html<https://%3cip%3e:%3cport%3e/partials/taskmanager/taskmanager.log.html>
 response code: 200
GET 
https://<ip>:<port>/taskmanagers/100474b27dcd8eeb9f3ff38c952977c9/stdout<https://%3cip%3e:%3cport%3e/taskmanagers/100474b27dcd8eeb9f3ff38c952977c9/stdout>
 response code: 500
GET 
https://<ip>:<port>/partials/taskmanager/taskmanager.stdout.html<https://%3cip%3e:%3cport%3e/partials/taskmanager/taskmanager.stdout.html>
 response code: 200
GET 
https://<ip>:<port>/partials/taskmanager/taskmanagers/%7B%7Btaskmanagerid%7D%7D/log<https://%3cip%3e:%3cport%3e/partials/taskmanager/taskmanagers/%7B%7Btaskmanagerid%7D%7D/log>
 response code: 404
GET 
https://<ip>:<port>/partials/taskmanager/taskmanagers/%257B%257Btaskmanagerid%257D%257D/log<https://%3cip%3e:%3cport%3e/partials/taskmanager/taskmanagers/%257B%257Btaskmanagerid%257D%257D/log>
 response code: 404
GET 
https://<ip>:<port>/partials/taskmanager/taskmanagers/%7B%7Btaskmanagerid%7D%7D/stdout<https://%3cip%3e:%3cport%3e/partials/taskmanager/taskmanagers/%7B%7Btaskmanagerid%7D%7D/stdout>
 response code: 404
GET 
https://<ip>:<port>/partials/taskmanager/taskmanagers/%257B%257Btaskmanagerid%257D%257D/stdout<https://%3cip%3e:%3cport%3e/partials/taskmanager/taskmanagers/%257B%257Btaskmanagerid%257D%257D/stdout>
 response code: 404


[6] 150204 Missing header: X-XSS-Protection
Severity Information Gathered - Level 1
Group Information Gathered

Threat
The X-XSS-Protection response header is not present.

X-Xss-Protection: Header missing
Response headers on link: GET 
https://<ip>:<port>/<https://%3cip%3e:%3cport%3e/> response code: 200
Content-Type: text/html
Date: Fri, 05 Jul 2019 01:22:22 GMT
Expires: Fri, 05 Jul 2019 01:27:22 GMT
Cache-Control: private, max-age=300
Last-Modified: Mon, 01 Jul 2019 09:45:33 GMT
Connection: keep-alive
Content-Length: 3306
Header missing on the following link(s):
(Only first 50 such pages are listed)
GET https://<ip>:<port>/<https://%3cip%3e:%3cport%3e/> response code: 200
GET 
https://<ip>:<port>/partials/overview.html<https://%3cip%3e:%3cport%3e/partials/overview.html>
 response code: 200
GET 
https://<ip>:<port>/partials/jobs/completed-jobs.html<https://%3cip%3e:%3cport%3e/partials/jobs/completed-jobs.html>
 response code: 200
GET 
https://<ip>:<port>/partials/jobmanager/config.html<https://%3cip%3e:%3cport%3e/partials/jobmanager/config.html>
 response code: 200
GET 
https://<ip>:<port>/partials/jobmanager/index.html<https://%3cip%3e:%3cport%3e/partials/jobmanager/index.html>
 response code: 200
GET 
https://<ip>:<port>/partials/jobs/running-jobs.html<https://%3cip%3e:%3cport%3e/partials/jobs/running-jobs.html>
 response code: 200
GET 
https://<ip>:<port>/partials/submit.html<https://%3cip%3e:%3cport%3e/partials/submit.html>
 response code: 200
GET 
https://<ip>:<port>/partials/taskmanager/index.html<https://%3cip%3e:%3cport%3e/partials/taskmanager/index.html>
 response code: 200
GET 
https://<ip>:<port>/jobmanager/log<https://%3cip%3e:%3cport%3e/jobmanager/log> 
response code: 200
GET 
https://<ip>:<port>/partials/jobmanager/log.html<https://%3cip%3e:%3cport%3e/partials/jobmanager/log.html>
 response code: 200
GET 
https://<ip>:<port>/jobmanager/stdout<https://%3cip%3e:%3cport%3e/jobmanager/stdout>
 response code: 200


[7] 150135 HTTP Strict Transport Security (HSTS) header missing/misconfigured.
Severity Information Gathered - Level 1
Group Information Gathered

Threat
HTTP Strict Transport Security (HSTS) header found to be missing or 
misconfigured. HSTS header dictates to a conforming browser that the current 
and all
subsequent connections (for a configurable amount of time) to the subject 
website should only be performed over a secure transport layer. Additionally, 
users are
not permitted to bypass SSL/TLS certificate errors; preventing browser 
click-throughs in the event of expired or otherwise untrusted certificates.

Strict Transport Security header missing for
https://<ip>:<port>/<https://%3cip%3e:%3cport%3e/>


Regards,
Suchithra

Reply via email to