[jira] [Created] (AMBARI-25347) [Security Vulnerability] SSL enabled Ambari inforamtion exposed to port 8441

Fri, 02 Aug 2019 04:19:57 -0700 

Gyan created AMBARI-25347:
-----------------------------

             Summary: [Security Vulnerability] SSL enabled Ambari inforamtion 
exposed to port 8441
                 Key: AMBARI-25347
                 URL: https://issues.apache.org/jira/browse/AMBARI-25347
             Project: Ambari
          Issue Type: Bug
          Components: ambari-agent, ambari-server
    Affects Versions: 2.7.3
         Environment: ambari-2.7.3/ HDP-3.1
            Reporter: Gyan


Description-- 

State of Ambari-- Ambari is SSL enabled.

Issue--

Below URL's are exposed which can be accessed without getting logged into 
ambari via port 8441.

1-  'https://<ambari_server>:8441/users'

Example--
{code:java}
{
  "href" : "https://172.25.40.23:8441/users";,
  "items" : [
    {
      "href" : "https://172.25.40.23:8441/users/admin";,
      "Users" : {
        "user_name" : "admin"
      }
    }
  ]
}
{code}
 

 
2-  'https://<ambari_server>:8441/services/AMBARI/components/AMBARI_SERVER' 

Example--
{code:java}
{
  "href" : "https://172.25.40.23:8441/services/AMBARI/components/AMBARI_SERVER";,
  "RootServiceComponents" : {
    "component_name" : "AMBARI_SERVER",
    "component_version" : "2.7.3.0",
    "server_clock" : 1564744453,
    "service_name" : "AMBARI",
    "properties" : {
      "agent.package.install.task.timeout" : "1800",
      "agent.stack.retry.on_repo_unavailability" : "false",
      "agent.stack.retry.tries" : "5",
      "agent.task.timeout" : "900",
      "agent.threadpool.size.max" : "25",
      "ambari-server.user" : "root",
      "ambari.python.wrap" : "ambari-python-wrap",
      "api.ssl" : "true",.............................
{code}

3- Using 'https://<ambari_server>:8441/services/AMBARI/components/AMBARI_AGENT' 

 

Example-- 
{code:java}
  "href" : "https://172.25.40.23:8441/services/AMBARI/components/AMBARI_AGENT";,
  "RootServiceComponents" : {
    "component_name" : "AMBARI_AGENT",
    "component_version" : "NOT_APPLICABLE",
    "service_name" : "AMBARI",
    "properties" : { }
  },
  "hostComponents" : [
    {
      "href" : 
"https://172.25.40.23:8441/services/AMBARI/hosts/c2236-node2.squadron-labs.com/hostComponents/AMBARI_AGENT";,
      "RootServiceHostComponents" : {
        "component_name" : "AMBARI_AGENT",
        "host_name" : "c2236-node2.squadron-labs.com",
        "service_name" : "AMBARI"
      }
{code}



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

Reply via email to