Uploaded image for project: 'Chukwa'
  1. Chukwa
  2. CHUKWA-619

Disable Trace Method on Collector's Port

    Details

    • Type: Wish
    • Status: Resolved
    • Priority: Trivial
    • Resolution: Fixed
    • Affects Version/s: 0.4.0
    • Fix Version/s: 0.5.0
    • Component/s: Data Collection
    • Labels:
      None
    • Environment:

      Debian 5.0, Hadoop 0.20

    • Release Note:
      Disabled trace method on Chukwa servlets. (Julio Conca via Eric Yang)

      Description

      After a safety auditory of our client. He notified us the next vulnerability at port 8081 (Collector port).
      HTTP TRACE / TRACK Methods Allowed

      I think this is a good documentation over the vulnerability.
      http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf.

      We add the following code to all the collector's servlets to solve the problem.
      protected void doTrace(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
      resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
      }

      The collector's servlets we fixed are.
      org.apache.hadoop.chukwa.datacollection.collector.servlet.CommitCheckServlet
      org.apache.hadoop.chukwa.datacollection.collector.servlet.LogDisplayServlet
      org.apache.hadoop.chukwa.datacollection.collector.servlet.ServletCollector

      Another solution could be to extend from jetty's DefaultServlet, but we didn't try. Our solution is good enough for us.

      Regards.

        Activity

        Hide
        eyang Eric Yang added a comment -

        I just committed this to trunk. Thanks Julio.

        Show
        eyang Eric Yang added a comment - I just committed this to trunk. Thanks Julio.

          People

          • Assignee:
            Unassigned
            Reporter:
            jconca Julio Conca
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development