[
https://issues.apache.org/jira/browse/HDFS-7505?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14241512#comment-14241512
]
Chris Nauroth commented on HDFS-7505:
-------------------------------------
Hi, [~msegel]. Thank you for the bug report. All of the jsp code has been
removed already as part of issue HDFS-6252, so I'm resolving this one as
duplicate. That issue is targeted to 2.7.0, so in the Apache Hadoop 2.7.0
release, the jsp pages (and any of their security vulnerabilities) will vanish.
> Old hdfs .jsp pages need to be removed due to a security risk
> -------------------------------------------------------------
>
> Key: HDFS-7505
> URL: https://issues.apache.org/jira/browse/HDFS-7505
> Project: Hadoop HDFS
> Issue Type: Bug
> Affects Versions: 2.4.0, 2.4.1
> Reporter: Michael Segel
> Priority: Critical
>
> During a penetration test, by manually entering the URL for the
> dfshealth.jsp, its possible to circumvent security on the cluster.
> The issue was found in Hortonworks 2.1 but it is believed to exist in all of
> the Apache based distributions.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
