Thanks for reporting this issue. It is already discussed on Flink's dev mailing list in this thread:
-> https://lists.apache.org/thread.html/10f0f3aefd51444d1198c65f44ffdf2d78ca3359423dbc1c168c9731@%3Cdev.flink.apache.org%3E Please continue the discussion there. Thanks, Fabian Am Di., 13. Aug. 2019 um 13:33 Uhr schrieb V N, Suchithra (Nokia - IN/Bangalore) <suchithra....@nokia.com>: > Hello, > > > > We are using Apache Flink 1.7.2 version. During our security scans > following issues are reported by our scan tool. Please let us know your > comments on these issues. > > > > *[1] 150085 Slow HTTP POST vulnerability* > > *Severity *Potential Vulnerability - Level 3 > > *Group *Information Disclosure > > > > *Threat* > > The web application is possibly vulnerable to a "slow HTTP POST" Denial of > Service (DoS) attack. This is an application-level DoS that consumes server > > resources by maintaining open connections for an extended period of time > by slowly sending traffic to the server. If the server maintains too many > connections > > open at once, then it may not be able to respond to new, legitimate > connections. > > > > *#1 Request* > > *Payload *N/A > > *Request *POST https://<ip>:<port>/ > > #1 Host: <ip>:<port> > > #3 Accept: */* > > #4 Content-Type: application/x-www-form-urlencoded > > > > *#1 Response* > > Vulnerable to slow HTTP POST attack > > Connection with partial POST body remained open for: 312932 milliseconds > > > > *[2] 150124 Clickjacking - Framable Page (10)* > > *Severity *Confirmed Vulnerability - Level 3 > > *Group *Information Disclosure > > *CVSS Base *6.4 *CVSS Temporal*5.8 > > > > *Threat* > > The web page can be framed. This means that clickjacking attacks against > users are possible. > > > > *#1 Request* > > *Payload *N/A > > *Request *GET https://<ip>:<port>/ > > #1 Host: <ip>:<port> > > #3 Accept: */* > > > > *#1 Response* > > The URI was framed. > > > > Below url’s have also reported the same issues and response was same. > > > > *Request *GET https://<ip>:<port>/partials/jobs/running-jobs.html > > *Request *GET https://<ip>:<port>/partials/submit.html > > *Request *GET https://<ip>:<port>/partials/jobmanager/stdout.html > > *Request *GET https://<ip>:<port>/partials/jobs/completed-jobs.html > > *Request *GET https://<ip>:<port>/partials/taskmanager/index.html > > *Request *GET https://<ip>:<port>/partials/jobmanager/log.html > <https://10.75.119.114:32007/partials/jobmanager/log.html> > > *Request *GET https://<ip>:<port>/partials/jobmanager/index.html > > *Request *GET https://<ip.:<port>/partials/overview.html > > *Request *GET https://<ip>:<port>/partials/jobmanager/config.html > > > > *[3] 150162 Use of JavaScript Library with Known Vulnerability (4)* > > > > *Threat* > > The web application is using a JavaScript library that is known to contain > at least one vulnerability. > > > > *#1 Request* > > *Payload *- > > *Request *GET https://<ip>:<port>/ > > #1 Host: <ip>:<port> > > #3 Accept: */* > > > > *#1 Response* > > *Vulnerable javascript library: jQuery* > > *version: 2.2.0* > > Details: > > CVE-2015-9251: jQuery versions on or above 1.4.0 and below 1.12.0 (version > 1.12.3 and above but below 3.0.0-beta1 as well) are vulnerable to XSS via > 3rd party text/javascript responses(3rd party > > CORS request may execute). (https://github.com/jquery/jquery/issues/2432). > > Solution: jQuery version 3.0.0 has been released to address the issue ( > http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/). Please > refer to vendor documentation (https://blog.jquery.com/) > > for the latest security updates. > > > > Found on the following pages (only first 10 pages are reported): > > https://<ip>:<port>/ > > https://<ip>:<port>/#/completed-jobs > > https://<ip>:<port>/#/jobmanager/config > > https://<ip>:<port>/#/overview > > https://<ip>:<port>/#/running-jobs > > https://<ip>:<port>/#/submit > > https://<ip>:<port>/#/taskmanagers > > https://<ip>:<port>/#/jobmanager/log > > https://<ip>:<port>/#/jobmanager/stdout > > https://<ip>:<port>/#/taskmanager/100474b27dcd8eeb9f3ff38c952977c9/log > > > > > > *#1 Response* > > *Vulnerable javascript library: Angular* > > *version: 1.4.8* > > Details: > > In angular versions below 1.6.5 both Firefox and Safari are vulnerable to > XSS in $sanitize if an inert document created via > `document.implementation.createHTMLDocument()` is used. Angular version > > 1.6.5 checks for these vulnerabilities and then use a DOMParser or XHR > strategy if needed. Please refer to vendor documentation ( > https://github.com/angular/angular.js/commit/ > > 8f31f1ff43b673a24f84422d5c13d6312b2c4d94) for latest security updates. > > Found on the following pages (only first 10 pages are reported): > > https://<ip>:<port>/ > > https://<ip>:<port>/#/completed-jobs > > https://<ip>:<port>/#/jobmanager/config > > https://<ip>:<port>/#/overview > > https://<ip>:<port>/#/running-jobs > > https://<ip>:<port>/#/submit > > https://<ip>:<port>/#/taskmanagers > > https://<ip>:<port>/#/jobmanager/log > > https://<ip>:<port>/#/jobmanager/stdout > > https://<ip>:<port>/#/taskmanager/100474b27dcd8eeb9f3ff38c952977c9/log > <https://10.75.119.114:32007/#/taskmanager/100474b27dcd8eeb9f3ff38c952977c9/log> > > > > *#1 Response* > > *Vulnerable javascript library: Bootstrap* > > *version: 3.3.6* > > Details: > > The data-target attribute in bootstrap versions below 3.4.0 is vulnerable > to Cross-Site Scripting(XSS) attacks. Please refer to vendor documentation ( > https://github.com/twbs/bootstrap/pull/23687, https:// > > github.com/twbs/bootstrap/issues/20184) for the latest security updates. > > ---------------------------------------------- > > CVE-2019-8331: In bootstrap versions before 3.4.1, data-template, > data-content and data-title properties of tooltip or popover are vulnerable > to Cross-Site Scripting(XSS) attacks. Please refer to vendor > > documentation (https://github.com/twbs/bootstrap/issues/28236) for latest > security updates. > > Found on the following pages (only first 10 pages are reported): > > https://<ip>:<port>/ > > https://<ip>:<port>/#/completed-jobs > > https://<ip>:<port>/#/jobmanager/config > > https://<ip>:<port>/#/overview > > https://<ip>:<port>/#/running-jobs > > https://<ip>:<port>/#/submit > > https://<ip>:<port>/#/taskmanagers > > https://<ip>:<port>/#/jobmanager/log > > https://<ip>:<port>/#/jobmanager/stdout > > https://<ip>:<port>/#/taskmanager/100474b27dcd8eeb9f3ff38c952977c9/log > <https://10.75.119.114:32007/#/taskmanager/100474b27dcd8eeb9f3ff38c952977c9/log> > > > > *Vulnerable javascript library: moment* > > *version: 2.10.6* > > Details: > > CVE-2016-4055: moment versions below 2.11.2 are vulnerable to regular > expression denial of service when user input is passed unchecked into > moment.duration() blocking the event loop for a period > > of time.(https://github.com/moment/moment/issues/2936). > > Solution: moment version 2.11.2 has been released to address the issue. > Please refer to vendor documentation ( > https://github.com/moment/moment/blob/develop/CHANGELOG.md, > https://nvd.nist.gov/ > > vuln/detail/CVE-2016-4055 ) for latest security updates. > > Found on the following pages (only first 10 pages are reported): > > https://<ip>:<port>/ > > https://<ip>:<port>/#/completed-jobs > > https://<ip>:<port>/#/jobmanager/config > > https://<ip>:<port>/#/overview > > https://<ip>:<port>/#/running-jobs > > https://<ip>:<port>/#/submit > > https://<ip>:<port>/#/taskmanagers > > https://<ip>:<port>/#/jobmanager/log > > https://<ip>:<port>/#/jobmanager/stdout > > https://<ip>:<port>/#/taskmanager/100474b27dcd8eeb9f3ff38c952977c9/log > > > > > > *[4] 150081 X-Frame-Options header is not set **(10)* > > *Severity *Potential Vulnerability - Level 1 > > *Group *Information Disclosure > > *CVSS Base *5 *CVSS Temporal*4.1 > > > > *Threat* > > The X-Frame-Options header is not set in the HTTP response, which may lead > to a possible framing of the page. An attacker can trick users into > clicking on a > > malicious link by framing the original page and showing a layer on top of > it with legitimate-looking buttons. > > > > *#1 Request* > > *Payload *N/A > > *Request *GET https://<ip>:<port>/ > > #1 Host: <ip>:<port> > > #3 Accept: */* > > > > *#1 Response* > > The response for this request either did not have an "X-FRAME-OPTIONS" > header present or was not set to DENY or SAMEORIGIN > > > > *Request *GET https://<ip>:<port>/partials/jobs/running-jobs.html > <https://10.75.119.114:32007/partials/jobs/running-jobs.html> > > *Request *GET https://<ip>:<port>/partials/submit.html > <https://10.75.119.114:32007/partials/submit.html> > > *Request *GET https://<ip>:<port>/partials/jobmanager/stdout.html > <https://10.75.119.114:32007/partials/jobmanager/stdout.html> > > *Request *GET https://<ip>:<port>/partials/jobs/completed-jobs.html > <https://10.75.119.114:32007/partials/jobs/completed-jobs.html> > > *Request *GET https://<ip>:<port>/partials/taskmanager/index.html > <https://10.75.119.114:32007/partials/taskmanager/index.html> > > *Request *GET https://<ip>:<port>/partials/jobmanager/log.html > <https://10.75.119.114:32007/partials/jobmanager/log.html> > > *Request *GET https://<ip>:<port>/partials/jobmanager/index.html > <https://10.75.119.114:32007/partials/jobmanager/index.html> > > *Request *GET https://<ip>:<port>/partials/overview.html > <https://10.75.119.114:32007/partials/overview.html> > > *Request *GET https://<ip>:<port>/partials/jobmanager/config.html > <https://10.75.119.114:32007/partials/jobmanager/config.html> > > > > > > *[5] 150202 Missing header: X-Content-Type-Options* > > *Severity *Information Gathered - Level 2 > > *Group *Information Gathered > > > > *Threat* > > The X-Content-Type-Options response header is not present. WAS reports > missing X-Content-Type-Options header on each crawled link with all types > of static > > and dynamic response. The scanner performs the check on 4xx and 5xx > responses too. It's possible to see a directory link reported for QID as > well. > > > > X-Content-Type-Options: Header missing > > Response headers on link: GET https://<ip>:<port>/ response code: 200 > > Content-Type: text/html > > Date: Fri, 05 Jul 2019 01:22:22 GMT > > Expires: Fri, 05 Jul 2019 01:27:22 GMT > > Cache-Control: private, max-age=300 > > Last-Modified: Mon, 01 Jul 2019 09:45:33 GMT > > Connection: keep-alive > > Content-Length: 3306 > > Header missing on the following link(s): > > (Only first 50 such pages are listed) > > GET https://<ip>:<port>/ response code: 200 > > GET https://<ip>:<port>/images/safari-pinned-tab.svg response code: 200 > > GET https://<ip>:<port>/js/index.js response code: 200 > > GET https://<ip>:<port>/images/favicon-32x32.png response code: 200 > > GET https://<ip>:<port>/images/apple-touch-icon.png response code: 200 > > GET https://<ip>:<port>/images/favicon.ico response code: 200 > > GET https://<ip>:<port>/js/vendor.js response code: 200 > > GET https://<ip>:<port>/css/vendor.css response code: 200 > > GET https://<ip>:<port>/css/index.css response code: 200 > > GET https://<ip>:<port>/images/favicon-16x16.png response code: 200 > > GET https://<ip>:<port>/images/manifest.json response code: 200 > > GET https://<ip>:<port>/config response code: 200 > > GET https://<ip>:<port>/fonts/fontawesome-webfont.ttf?v=4.5.0 response > code: 200 > > GET https://<ip>:<port>/fonts/fontawesome-webfont.woff2?v=4.5.0 response > code: 200 > > GET https://<ip>:<port>/fonts/fontawesome-webfont.woff?v=4.5.0 response > code: 200 > > GET https://<ip>:<port>/jobs/overview response code: 200 > > GET https://<ip>:<port>/overview response code: 200 > > GET https://<ip>:<port>/partials/overview.html response code: 200 > > GET https://<ip>:<port>/favicon.ico response code: 404 > > GET https://<ip>:<port>/partials/jobs/completed-jobs.html response code: > 200 > > GET https://<ip>:<port>/jobmanager/config response code: 200 > > GET https://<ip>:<port>/partials/jobmanager/config.html response code: 200 > > GET https://<ip>:<port>/partials/jobmanager/index.html response code: 200 > > GET https://<ip>:<port>/partials/jobs/running-jobs.html response code: 200 > > GET https://<ip>:<port>/jars/ response code: 200 > > GET https://<ip>:<port>/partials/submit.html response code: 200 > > GET https://<ip>:<port>/partials/taskmanager/index.html response code: 200 > > GET https://<ip>:<port>/taskmanagers response code: 200 > > GET https://<ip>:<port>/jobmanager/log response code: 200 > > GET https://<ip>:<port>/partials/jobmanager/log.html response code: 200 > > GET https://<ip>:<port>/jobmanager/stdout response code: 200 > > GET https://<ip>:<port>/partials/jobmanager/stdout.html response code: 200 > > GET https://<ip>:<port>/partials/%257B%257B'%23/jobs/'%20+%20jid%7D%7D > <https://%3cip%3e:%3cport%3e/partials/%257B%257B'%23/jobs/'%20+%20jid%7D%7D> > response code: 404 > > GET https://<ip>:<port>/partials/taskmanager/taskmanager.html response > code: 200 > > GET https://<ip>:<port>/partials/taskmanager/taskmanager.metrics.html > response code: 200 > > GET https://<ip>:<port>/taskmanagers/100474b27dcd8eeb9f3ff38c952977c9 > response code: 200 > > GET https://<ip>:<port>/partials/jobmanager/jobmanager/log response code: > 404 > > GET https://<ip>:<port>/partials/jobmanager/jobmanager/stdout response > code: 404 > > GET https://<ip>:<port>/taskmanagers/100474b27dcd8eeb9f3ff38c952977c9/log > response code: 500 > > GET https://<ip>:<port>/partials/taskmanager/taskmanager.log.html > response code: 200 > > GET > https://<ip>:<port>/taskmanagers/100474b27dcd8eeb9f3ff38c952977c9/stdout > response code: 500 > > GET https://<ip>:<port>/partials/taskmanager/taskmanager.stdout.html > response code: 200 > > GET > https://<ip>:<port>/partials/taskmanager/taskmanagers/%7B%7Btaskmanagerid%7D%7D/log > <https://%3cip%3e:%3cport%3e/partials/taskmanager/taskmanagers/%7B%7Btaskmanagerid%7D%7D/log> > response code: 404 > > GET > https://<ip>:<port>/partials/taskmanager/taskmanagers/%257B%257Btaskmanagerid%257D%257D/log > <https://%3cip%3e:%3cport%3e/partials/taskmanager/taskmanagers/%257B%257Btaskmanagerid%257D%257D/log> > response code: 404 > > GET > https://<ip>:<port>/partials/taskmanager/taskmanagers/%7B%7Btaskmanagerid%7D%7D/stdout > <https://%3cip%3e:%3cport%3e/partials/taskmanager/taskmanagers/%7B%7Btaskmanagerid%7D%7D/stdout> > response code: 404 > > GET > https://<ip>:<port>/partials/taskmanager/taskmanagers/%257B%257Btaskmanagerid%257D%257D/stdout > <https://%3cip%3e:%3cport%3e/partials/taskmanager/taskmanagers/%257B%257Btaskmanagerid%257D%257D/stdout> > response code: 404 > > > > > > *[6] 150204 Missing header: X-XSS-Protection* > > *Severity *Information Gathered - Level 1 > > *Group *Information Gathered > > > > *Threat* > > The X-XSS-Protection response header is not present. > > > > X-Xss-Protection: Header missing > > Response headers on link: GET https://<ip>:<port>/ response code: 200 > > Content-Type: text/html > > Date: Fri, 05 Jul 2019 01:22:22 GMT > > Expires: Fri, 05 Jul 2019 01:27:22 GMT > > Cache-Control: private, max-age=300 > > Last-Modified: Mon, 01 Jul 2019 09:45:33 GMT > > Connection: keep-alive > > Content-Length: 3306 > > Header missing on the following link(s): > > (Only first 50 such pages are listed) > > GET https://<ip>:<port>/ response code: 200 > > GET https://<ip>:<port>/partials/overview.html response code: 200 > > GET https://<ip>:<port>/partials/jobs/completed-jobs.html response code: > 200 > > GET https://<ip>:<port>/partials/jobmanager/config.html response code: 200 > > GET https://<ip>:<port>/partials/jobmanager/index.html response code: 200 > > GET https://<ip>:<port>/partials/jobs/running-jobs.html response code: 200 > > GET https://<ip>:<port>/partials/submit.html response code: 200 > > GET https://<ip>:<port>/partials/taskmanager/index.html response code: 200 > > GET https://<ip>:<port>/jobmanager/log response code: 200 > > GET https://<ip>:<port>/partials/jobmanager/log.html response code: 200 > > GET https://<ip>:<port>/jobmanager/stdout response code: 200 > > > > > > *[7] 150135 HTTP Strict Transport Security (HSTS) header > missing/misconfigured.* > > *Severity *Information Gathered - Level 1 > > *Group *Information Gathered > > > > *Threat* > > HTTP Strict Transport Security (HSTS) header found to be missing or > misconfigured. HSTS header dictates to a conforming browser that the > current and all > > subsequent connections (for a configurable amount of time) to the subject > website should only be performed over a secure transport layer. > Additionally, users are > > not permitted to bypass SSL/TLS certificate errors; preventing browser > click-throughs in the event of expired or otherwise untrusted certificates. > > > > Strict Transport Security header missing for > > https://<ip>:<port>/ > > > > > > Regards, > > Suchithra > > >
