AMBARI-20018. Document security issue related to setting security.agent.hostname.validate to false (rlevas)
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/45842645 Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/45842645 Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/45842645 Branch: refs/heads/branch-feature-AMBARI-12556 Commit: 45842645c546a176f1692d0d7be008e2d51c5086 Parents: a1f23ad Author: Robert Levas <[email protected]> Authored: Wed Feb 15 11:20:03 2017 -0500 Committer: Robert Levas <[email protected]> Committed: Wed Feb 15 11:20:03 2017 -0500 ---------------------------------------------------------------------- ambari-server/docs/configuration/index.md | 2 +- .../java/org/apache/ambari/server/configuration/Configuration.java | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/45842645/ambari-server/docs/configuration/index.md ---------------------------------------------------------------------- diff --git a/ambari-server/docs/configuration/index.md b/ambari-server/docs/configuration/index.md index 50864f2..ae2d549 100644 --- a/ambari-server/docs/configuration/index.md +++ b/ambari-server/docs/configuration/index.md @@ -172,7 +172,7 @@ The following are the properties which can be used to configure Ambari. | repo.validation.suffixes.ubuntu | The suffixes to use when validating Ubuntu repositories. |`/dists/%s/Release` | | resources.dir | The location on the Ambari Server where all resources exist, including common services, stacks, and scripts. |`/var/lib/ambari-server/resources/` | | rolling.upgrade.skip.packages.prefixes | A comma-separated list of packages which will be skipped during a stack upgrade. | | -| security.agent.hostname.validate | Determines whether the Ambari Agent host names should be validated against a regular expression to ensure that they are well-formed. |`true` | +| security.agent.hostname.validate | Determines whether the Ambari Agent host names should be validated against a regular expression to ensure that they are well-formed.<br><br>WARNING: By setting this value to false, host names will not be validated, allowing a possible security vulnerability as described in CVE-2014-3582. See https://cwiki.apache.org/confluence/display/AMBARI/Ambari+Vulnerabilities for more information.|`true` | | security.master.key.location | The location on the Ambari Server of the master key file. This is the key to the master keystore. | | | security.master.keystore.location | The location on the Ambari Server of the master keystore file. | | | security.server.cert_name | The name of the file located in the `security.server.keys_dir` directory where certificates will be generated when Ambari uses the `openssl ca` command. |`ca.crt` | http://git-wip-us.apache.org/repos/asf/ambari/blob/45842645/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java index 5020790..e1df5bd 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java @@ -510,7 +510,7 @@ public class Configuration { * Determines whether the Ambari Agent host names should be validated against * a regular expression to ensure that they are well-formed. */ - @Markdown(description = "Determines whether the Ambari Agent host names should be validated against a regular expression to ensure that they are well-formed.") + @Markdown(description = "Determines whether the Ambari Agent host names should be validated against a regular expression to ensure that they are well-formed.<br><br>WARNING: By setting this value to false, host names will not be validated, allowing a possible security vulnerability as described in CVE-2014-3582. See https://cwiki.apache.org/confluence/display/AMBARI/Ambari+Vulnerabilities for more information.") public static final ConfigurationProperty<String> SRVR_AGENT_HOSTNAME_VALIDATE = new ConfigurationProperty<>( "security.agent.hostname.validate", "true");
