[jira] [Updated] (HIVE-21902) HiveServer2 UI: jetty response header needs X-Frame-Options
[
https://issues.apache.org/jira/browse/HIVE-21902?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Daniel Dai updated HIVE-21902:
--
Resolution: Fixed
Hadoop Flags: Reviewed
Fix Version/s: 4.0.0
Status: Resolved (was: Patch Available)
Patch pushed to master. Thanks Rajkumar!
> HiveServer2 UI: jetty response header needs X-Frame-Options
> ---
>
> Key: HIVE-21902
> URL: https://issues.apache.org/jira/browse/HIVE-21902
> Project: Hive
> Issue Type: Bug
>Affects Versions: 3.1.0
>Reporter: Rajkumar Singh
>Assignee: Rajkumar Singh
>Priority: Major
> Labels: security
> Fix For: 4.0.0
>
> Attachments: HIVE-21902.01.patch, HIVE-21902.patch
>
>
> there are some vulnerability are reported for hiveserver2 ui
> X-Frame-Options or Content-Security-Policy: frame-ancestors HTTP Headers
> missing on port 10002.
> {code}
> GET / HTTP/1.1
> Host: HOSTNAME:10002
> Connection: Keep-Alive
> X-XSS-Protection HTTP Header missing on port 10002.
> X-Content-Type-Options HTTP Header missing on port 10002.
> {code}
> after the proposed changes
> {code}
> HTTP/1.1 200 OK
> Date: Thu, 20 Jun 2019 05:29:59 GMT
> Content-Type: text/html;charset=utf-8
> X-Content-Type-Options: nosniff
> X-FRAME-OPTIONS: SAMEORIGIN
> X-XSS-Protection: 1; mode=block
> Set-Cookie: JSESSIONID=15kscuow9cmy7qms6dzaxllqt;Path=/
> Expires: Thu, 01 Jan 1970 00:00:00 GMT
> Content-Length: 3824
> Server: Jetty(9.3.25.v20180904)
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Updated] (HIVE-21902) HiveServer2 UI: jetty response header needs X-Frame-Options
[
https://issues.apache.org/jira/browse/HIVE-21902?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Thejas M Nair updated HIVE-21902:
-
Summary: HiveServer2 UI: jetty response header needs X-Frame-Options (was:
HiveServer2 UI: Security Vulnerability in jetty response header)
> HiveServer2 UI: jetty response header needs X-Frame-Options
> ---
>
> Key: HIVE-21902
> URL: https://issues.apache.org/jira/browse/HIVE-21902
> Project: Hive
> Issue Type: Bug
>Affects Versions: 3.1.0
>Reporter: Rajkumar Singh
>Assignee: Rajkumar Singh
>Priority: Major
> Labels: security
> Attachments: HIVE-21902.01.patch, HIVE-21902.patch
>
>
> there are some vulnerability are reported for hiveserver2 ui
> X-Frame-Options or Content-Security-Policy: frame-ancestors HTTP Headers
> missing on port 10002.
> {code}
> GET / HTTP/1.1
> Host: HOSTNAME:10002
> Connection: Keep-Alive
> X-XSS-Protection HTTP Header missing on port 10002.
> X-Content-Type-Options HTTP Header missing on port 10002.
> {code}
> after the proposed changes
> {code}
> HTTP/1.1 200 OK
> Date: Thu, 20 Jun 2019 05:29:59 GMT
> Content-Type: text/html;charset=utf-8
> X-Content-Type-Options: nosniff
> X-FRAME-OPTIONS: SAMEORIGIN
> X-XSS-Protection: 1; mode=block
> Set-Cookie: JSESSIONID=15kscuow9cmy7qms6dzaxllqt;Path=/
> Expires: Thu, 01 Jan 1970 00:00:00 GMT
> Content-Length: 3824
> Server: Jetty(9.3.25.v20180904)
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
