[jira] [Updated] (YARN-10973) Remove Jersey version from application.wadl for Security Reasons

Fri, 01 Oct 2021 04:08:05 -0700 


     [ 
https://issues.apache.org/jira/browse/YARN-10973?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

ASF GitHub Bot updated YARN-10973:
----------------------------------
    Labels: pull-request-available  (was: )

> Remove Jersey version from application.wadl for Security Reasons
> ----------------------------------------------------------------
>
>                 Key: YARN-10973
>                 URL: https://issues.apache.org/jira/browse/YARN-10973
>             Project: Hadoop YARN
>          Issue Type: Improvement
>            Reporter: Tamas Domok
>            Assignee: Tamas Domok
>            Priority: Major
>              Labels: pull-request-available
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> A security audit highlighted that the auto generated *application.wadl* 
> contains the server version - _jersey:generatedBy="Jersey: 1.19 02/11/2015 
> 03:25 AM"_ - and we should hide this attribute.
> Unfortunately it is not possible to disable this attribute from the Jersey 
> API: 
> [https://github.com/javaee/jersey-1.x/blob/864a01d7be490ab93d2424da3e446ad8eb84b1e8/jersey-server/src/main/java/com/sun/jersey/server/wadl/WadlBuilder.java#L245|https://github.com/javaee/jersey-1.x/blob/864a01d7be490ab93d2424da3e446ad8eb84b1e8/jersey-server/src/main/java/com/sun/jersey/server/wadl/WadlBuilder.java#L245)]
> The only workaround I could come up with is to create a filter and remove the 
> tag by hand.
>  
> I'm not sure if this worth the hustle, hadoop is open source and the used 
> software component versions could be identified quite easily. Anyway I 
> created a patch with the workaround, *but it's up to discussion if we really 
> need this or not.*
>  
> *How to test?*
> {code:java}
> curl -v "http://localhost:8088/application.wadl"; {code}
> *Actual:*
> {code:java}
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> <application xmlns="http://wadl.dev.java.net/2009/02";>
>     <doc xmlns:jersey="http://jersey.java.net/"; jersey:generatedBy="Jersey: 
> 1.19 02/11/2015 03:25 AM"/> {code}
> *Expected:*
> {code:java}
>  <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <application 
> xmlns="http://wadl.dev.java.net/2009/02";> <doc 
> xmlns:jersey="http://jersey.java.net/"; />{code}
> *Software Version Disclosure*
> It has been detected that detailed platform version information is available 
> to
> the end users. Such information is very useful in narrowing down the scope of
> further malicious actions since it reveals what potential security 
> vulnerabilities might be present on the relevant asset.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to