[
https://issues.apache.org/jira/browse/YARN-10973?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17581710#comment-17581710
]
ASF GitHub Bot commented on YARN-10973:
---------------------------------------
liziwl commented on PR #3510:
URL: https://github.com/apache/hadoop/pull/3510#issuecomment-1220363570
Maybe you can try add `params.put(ResourceConfig.FEATURE_DISABLE_WADL,
"true");` after
https://github.com/apache/hadoop/blob/f75c58a1ca349435e318fa5ffb5929a3cb5fcb45/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/WebApp.java#L192
> Remove Jersey version from application.wadl for Security Reasons
> ----------------------------------------------------------------
>
> Key: YARN-10973
> URL: https://issues.apache.org/jira/browse/YARN-10973
> Project: Hadoop YARN
> Issue Type: Improvement
> Reporter: Tamas Domok
> Assignee: Tamas Domok
> Priority: Major
> Labels: pull-request-available
> Time Spent: 1h
> Remaining Estimate: 0h
>
> A security audit highlighted that the auto generated *application.wadl*
> contains the Jersey RESTful Web Services's version -
> _jersey:generatedBy="Jersey: 1.19 02/11/2015 03:25 AM"_ - and we should hide
> this attribute.
> Unfortunately it is not possible to disable this attribute from the Jersey
> API:
> [https://github.com/javaee/jersey-1.x/blob/864a01d7be490ab93d2424da3e446ad8eb84b1e8/jersey-server/src/main/java/com/sun/jersey/server/wadl/WadlBuilder.java#L245|https://github.com/javaee/jersey-1.x/blob/864a01d7be490ab93d2424da3e446ad8eb84b1e8/jersey-server/src/main/java/com/sun/jersey/server/wadl/WadlBuilder.java#L245)]
> The only workaround I could come up with is to create a filter and remove the
> tag by hand.
>
> I'm not sure if this worth the hustle, hadoop is open source and the used
> software component versions could be identified quite easily. Anyway I
> created a patch with the workaround, *but it's up to discussion if we really
> need this or not.*
>
> *How to test?*
> {code:java}
> curl -v "http://localhost:8088/application.wadl"; {code}
> *Actual:*
> {code:java}
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> <application xmlns="http://wadl.dev.java.net/2009/02";>
> <doc xmlns:jersey="http://jersey.java.net/"; jersey:generatedBy="Jersey:
> 1.19 02/11/2015 03:25 AM"/> {code}
> *Expected:*
> {code:java}
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> <application xmlns="http://wadl.dev.java.net/2009/02";>
> <doc xmlns:jersey="http://jersey.java.net/"; />{code}
> *Software Version Disclosure*
> It has been detected that detailed platform version information is available
> to
> the end users. Such information is very useful in narrowing down the scope of
> further malicious actions since it reveals what potential security
> vulnerabilities might be present on the relevant asset.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
