[jira] [Created] (YARN-10973) Remove Jersey version from application.wadl for Security Reasons

Fri, 01 Oct 2021 04:02:12 -0700 

Tamas Domok created YARN-10973:
----------------------------------

             Summary: Remove Jersey version from application.wadl for Security 
Reasons
                 Key: YARN-10973
                 URL: https://issues.apache.org/jira/browse/YARN-10973
             Project: Hadoop YARN
          Issue Type: Improvement
            Reporter: Tamas Domok
            Assignee: Tamas Domok


A security audit highlighted that the auto generated *application.wadl* 
contains the server version - _jersey:generatedBy="Jersey: 1.19 02/11/2015 
03:25 AM"_ - and we should hide this attribute.

Unfortunately it is not possible to disable this attribute from the Jersey API: 
[https://github.com/javaee/jersey-1.x/blob/864a01d7be490ab93d2424da3e446ad8eb84b1e8/jersey-server/src/main/java/com/sun/jersey/server/wadl/WadlBuilder.java#L245|https://github.com/javaee/jersey-1.x/blob/864a01d7be490ab93d2424da3e446ad8eb84b1e8/jersey-server/src/main/java/com/sun/jersey/server/wadl/WadlBuilder.java#L245)]

The only workaround I could come up with is to create a filter and remove the 
tag by hand.

 

I'm not sure if this worth the hustle, hadoop is open source and the used 
software component versions could be identified quite easily. Anyway I created 
a patch with the workaround, *but it's up to discussion if we really need this 
or not.*

 

*How to test?*
{code:java}
curl -v "http://localhost:8088/application.wadl"; {code}

*Actual:*
{code:java}
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<application xmlns="http://wadl.dev.java.net/2009/02";>
    <doc xmlns:jersey="http://jersey.java.net/"; jersey:generatedBy="Jersey: 
1.19 02/11/2015 03:25 AM"/> {code}

*Expected:*
{code:java}
 <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <application 
xmlns="http://wadl.dev.java.net/2009/02";> <doc 
xmlns:jersey="http://jersey.java.net/"; />{code}

*Software Version Disclosure*

It has been detected that detailed platform version information is available to
the end users. Such information is very useful in narrowing down the scope of
further malicious actions since it reveals what potential security 
vulnerabilities might be present on the relevant asset.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to