[
https://issues.apache.org/jira/browse/HDFS-7505?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14240887#comment-14240887
]
Michael Segel commented on HDFS-7505:
--------------------------------------
All,
This is the first Jira ticket that I have opened so apologies if I haven't
provided enough information up front.
The issue is that the Hadoop 1.0 dfshealth web page and its supporting .jsp
classes did not have any security.
While we can modify the web.xml file, its a temporary fix and can be
accidentally removed in subsequent releases or patches.
(/usr/lib/hadoop-hdfs/webapps/hdfs/WEB-INF/web.xml )
The question is what code besides the web page for dfs health uses the
_jsp.classes and if they can be removed.
The only downside that I can see is a loss of backwards compatability, along
with now requiring that to view these pages, you must have an HTML5 capable
browser.
> Old hdfs .jsp pages need to be removed due to a security risk
> -------------------------------------------------------------
>
> Key: HDFS-7505
> URL: https://issues.apache.org/jira/browse/HDFS-7505
> Project: Hadoop HDFS
> Issue Type: Bug
> Affects Versions: 2.4.0, 2.4.1
> Reporter: Michael Segel
> Priority: Critical
>
> During a penetration test, by manually entering the URL for the
> dfshealth.jsp, its possible to circumvent security on the cluster.
> The issue was found in Hortonworks 2.1 but it is believed to exist in all of
> the Apache based distributions.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
