[YARN-11076] Upgrade jQuery version in Yarn UI2 - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 3.3.0, 3.4.0
Fix Version/s: 3.4.0, 3.3.5
Component/s: yarn-ui-v2
Labels:
- pull-request-available

Hadoop Flags:

Reviewed

Description

UI2 uses an old jQuery version (2.1.4) which is affected by some known vulnerabilities, e.g.:

Attached an example reproduction page:
jquery.html
The alert window pops with 1.8.2, or 2.1.4 but not with a 3.6.0. However, I couldn't exploit this with UI2, but I haven't tried every code path for sure.

https://github.com/apache/hadoop/blob/trunk/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/bower.json

    "jquery": "2.1.4",
    "jquery-ui": "1.11.4",

jQuery was upgraded already in hadoop-common:

~~HADOOP-18044~~, ~~HADOOP-17286~~, ~~HADOOP-17783~~

jquery-ui should also be upgraded to at least 1.13.0:

https://www.cvedetails.com/vulnerability-list/vendor_id-6538/product_id-31126/Jquery-Jquery-Ui.html

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

ui2jquery.png
15/Feb/22 10:12
67 kB
Tamas Domok
jquery.html
15/Feb/22 10:13
0.3 kB
Tamas Domok

Issue Links

links to

GitHub Pull Request #4046

Activity

People

Assignee:: Tamas Domok

Reporter:: Tamas Domok

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 15/Feb/22 10:22

Updated:: 03/Mar/22 15:14

Resolved:: 03/Mar/22 14:54

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

40m