[SPARK-24509] Spark WebUI [security] - Web Server Version Disclosure - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Won't Fix
Affects Version/s: 2.3.0
Fix Version/s: None
Component/s: Web UI
Labels:
- security

Description

Risk/Issue summary description/detail
The Spark web portals expose technical details about its infrastructure through server response headers.

The Server header is appended to the server responses as part of the HTTP/1.1 standard. These headers inadvertently disclose information that may aid an attacker in gathering information for a targeted attack. The following information was gathered from server response headers:

Server: Jetty(9.3.z-SNAPSHOT)
Server: Apache-Coyote/1.1

Business impact / attack scenario

An attacker may use this information to identify technologies and research publicly disclosed vulnerabilities that may affect the system.

Recommendation

Remove the Server header from application responses.

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: t oo

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 10/Jun/18 23:15

Updated:: 11/Jun/18 16:38

Resolved:: 11/Jun/18 16:38