[
https://issues.apache.org/jira/browse/YARN-10973?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Tamas Domok updated YARN-10973:
-------------------------------
Description:
A security audit highlighted that the auto generated *application.wadl*
contains the Jersey RESTful Web Services's version -
_jersey:generatedBy="Jersey: 1.19 02/11/2015 03:25 AM"_ - and we should hide
this attribute.
Unfortunately it is not possible to disable this attribute from the Jersey API:
[https://github.com/javaee/jersey-1.x/blob/864a01d7be490ab93d2424da3e446ad8eb84b1e8/jersey-server/src/main/java/com/sun/jersey/server/wadl/WadlBuilder.java#L245|https://github.com/javaee/jersey-1.x/blob/864a01d7be490ab93d2424da3e446ad8eb84b1e8/jersey-server/src/main/java/com/sun/jersey/server/wadl/WadlBuilder.java#L245)]
The only workaround I could come up with is to create a filter and remove the
tag by hand.
I'm not sure if this worth the hustle, hadoop is open source and the used
software component versions could be identified quite easily. Anyway I created
a patch with the workaround, *but it's up to discussion if we really need this
or not.*
*How to test?*
{code:java}
curl -v "http://localhost:8088/application.wadl"; {code}
*Actual:*
{code:java}
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<application xmlns="http://wadl.dev.java.net/2009/02";>
<doc xmlns:jersey="http://jersey.java.net/"; jersey:generatedBy="Jersey:
1.19 02/11/2015 03:25 AM"/> {code}
*Expected:*
{code:java}
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <application
xmlns="http://wadl.dev.java.net/2009/02";> <doc
xmlns:jersey="http://jersey.java.net/"; />{code}
*Software Version Disclosure*
It has been detected that detailed platform version information is available to
the end users. Such information is very useful in narrowing down the scope of
further malicious actions since it reveals what potential security
vulnerabilities might be present on the relevant asset.
was:
A security audit highlighted that the auto generated *application.wadl*
contains the server version - _jersey:generatedBy="Jersey: 1.19 02/11/2015
03:25 AM"_ - and we should hide this attribute.
Unfortunately it is not possible to disable this attribute from the Jersey API:
[https://github.com/javaee/jersey-1.x/blob/864a01d7be490ab93d2424da3e446ad8eb84b1e8/jersey-server/src/main/java/com/sun/jersey/server/wadl/WadlBuilder.java#L245|https://github.com/javaee/jersey-1.x/blob/864a01d7be490ab93d2424da3e446ad8eb84b1e8/jersey-server/src/main/java/com/sun/jersey/server/wadl/WadlBuilder.java#L245)]
The only workaround I could come up with is to create a filter and remove the
tag by hand.
I'm not sure if this worth the hustle, hadoop is open source and the used
software component versions could be identified quite easily. Anyway I created
a patch with the workaround, *but it's up to discussion if we really need this
or not.*
*How to test?*
{code:java}
curl -v "http://localhost:8088/application.wadl"; {code}
*Actual:*
{code:java}
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<application xmlns="http://wadl.dev.java.net/2009/02";>
<doc xmlns:jersey="http://jersey.java.net/"; jersey:generatedBy="Jersey:
1.19 02/11/2015 03:25 AM"/> {code}
*Expected:*
{code:java}
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <application
xmlns="http://wadl.dev.java.net/2009/02";> <doc
xmlns:jersey="http://jersey.java.net/"; />{code}
*Software Version Disclosure*
It has been detected that detailed platform version information is available to
the end users. Such information is very useful in narrowing down the scope of
further malicious actions since it reveals what potential security
vulnerabilities might be present on the relevant asset.
> Remove Jersey version from application.wadl for Security Reasons
> ----------------------------------------------------------------
>
> Key: YARN-10973
> URL: https://issues.apache.org/jira/browse/YARN-10973
> Project: Hadoop YARN
> Issue Type: Improvement
> Reporter: Tamas Domok
> Assignee: Tamas Domok
> Priority: Major
> Labels: pull-request-available
> Time Spent: 10m
> Remaining Estimate: 0h
>
> A security audit highlighted that the auto generated *application.wadl*
> contains the Jersey RESTful Web Services's version -
> _jersey:generatedBy="Jersey: 1.19 02/11/2015 03:25 AM"_ - and we should hide
> this attribute.
> Unfortunately it is not possible to disable this attribute from the Jersey
> API:
> [https://github.com/javaee/jersey-1.x/blob/864a01d7be490ab93d2424da3e446ad8eb84b1e8/jersey-server/src/main/java/com/sun/jersey/server/wadl/WadlBuilder.java#L245|https://github.com/javaee/jersey-1.x/blob/864a01d7be490ab93d2424da3e446ad8eb84b1e8/jersey-server/src/main/java/com/sun/jersey/server/wadl/WadlBuilder.java#L245)]
> The only workaround I could come up with is to create a filter and remove the
> tag by hand.
>
> I'm not sure if this worth the hustle, hadoop is open source and the used
> software component versions could be identified quite easily. Anyway I
> created a patch with the workaround, *but it's up to discussion if we really
> need this or not.*
>
> *How to test?*
> {code:java}
> curl -v "http://localhost:8088/application.wadl"; {code}
> *Actual:*
> {code:java}
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> <application xmlns="http://wadl.dev.java.net/2009/02";>
> <doc xmlns:jersey="http://jersey.java.net/"; jersey:generatedBy="Jersey:
> 1.19 02/11/2015 03:25 AM"/> {code}
> *Expected:*
> {code:java}
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <application
> xmlns="http://wadl.dev.java.net/2009/02";> <doc
> xmlns:jersey="http://jersey.java.net/"; />{code}
> *Software Version Disclosure*
> It has been detected that detailed platform version information is available
> to
> the end users. Such information is very useful in narrowing down the scope of
> further malicious actions since it reveals what potential security
> vulnerabilities might be present on the relevant asset.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
