Apache flink 1.7.2 security issues
Locked
Apache flink 1.7.2 security issues
 
|
Hello, We are using Apache Flink 1.7.2 version. During our security scans following issues are reported by our scan tool. Please let us know your comments on these issues. [1] 150085 Slow HTTP POST vulnerability Severity
Potential Vulnerability - Level 3 Group
Information Disclosure Threat The web application is possibly vulnerable to a "slow HTTP POST" Denial of Service (DoS) attack. This is an application-level DoS that
consumes server resources by maintaining open connections for an extended period of time by slowly sending traffic to the server. If the server maintains
too many connections open at once, then it may not be able to respond to new, legitimate connections. #1 Request Payload
N/A Request
POST https://<ip>:<port>/ #1 Host: <ip>:<port> #3 Accept: */* #4 Content-Type: application/x-www-form-urlencoded #1 Response Vulnerable to slow HTTP POST attack Connection with partial POST body remained open for: 312932 milliseconds [2] 150124 Clickjacking - Framable Page (10) Severity
Confirmed Vulnerability - Level 3 Group
Information Disclosure CVSS Base
6.4
CVSS Temporal5.8 Threat The web page can be framed. This means that clickjacking attacks against users are possible. #1 Request Payload
N/A Request
GET https://<ip>:<port>/ #1 Host: <ip>:<port> #3 Accept: */* #1 Response The URI was framed. Below url’s have also reported the same issues and response was same. Request
GET
<a href="https://%3cip%3e:%3cport%3e/partials/jobs/running-jobs.html">https://<ip>:<port>/partials/jobs/running-jobs.html Request
GET
<a href="https://%3cip%3e:%3cport%3e/partials/submit.html">https://<ip>:<port>/partials/submit.html Request
GET
<a href="https://%3cip%3e:%3cport%3e/partials/jobmanager/stdout.html">https://<ip>:<port>/partials/jobmanager/stdout.html Request
GET
<a href="https://%3cip%3e:%3cport%3e/partials/jobs/completed-jobs.html">https://<ip>:<port>/partials/jobs/completed-jobs.html Request
GET
<a href="https://%3cip%3e:%3cport%3e/partials/taskmanager/index.html">https://<ip>:<port>/partials/taskmanager/index.html Request
GET
https://<ip>:<port>/partials/jobmanager/log.html Request
GET
<a href="https://%3cip%3e:%3cport%3e/partials/jobmanager/index.html">https://<ip>:<port>/partials/jobmanager/index.html Request
GET
<a href="https://%3cip.:%3cport%3e/partials/overview.html">https://<ip.:<port>/partials/overview.html Request
GET
<a href="https://%3cip%3e:%3cport%3e/partials/jobmanager/config.html">https://<ip>:<port>/partials/jobmanager/config.html [3] 150162 Use of JavaScript Library with Known Vulnerability (4) Threat The web application is using a JavaScript library that is known to contain at least one vulnerability. #1 Request Payload
- Request
GET https://<ip>:<port>/ #1 Host: <ip>:<port> #3 Accept: */* #1 Response Vulnerable javascript library: jQuery version: 2.2.0 Details: CVE-2015-9251: jQuery versions on or above 1.4.0 and below 1.12.0 (version 1.12.3 and above but below 3.0.0-beta1 as well) are vulnerable
to XSS via 3rd party text/javascript responses(3rd party CORS request may execute). (https://github.com/jquery/jquery/issues/2432). Solution: jQuery version 3.0.0 has been released to address the issue (http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/).
Please refer to vendor documentation (https://blog.jquery.com/) for the latest security updates. Found on the following pages (only first 10 pages are reported): https://<ip>:<port>/ https://<ip>:<port>/#/completed-jobs https://<ip>:<port>/#/jobmanager/config https://<ip>:<port>/#/overview https://<ip>:<port>/#/running-jobs https://<ip>:<port>/#/submit https://<ip>:<port>/#/taskmanagers https://<ip>:<port>/#/jobmanager/log https://<ip>:<port>/#/jobmanager/stdout https://<ip>:<port>/#/taskmanager/100474b27dcd8eeb9f3ff38c952977c9/log #1 Response Vulnerable javascript library: Angular version: 1.4.8 Details: In angular versions below 1.6.5 both Firefox and Safari are vulnerable to XSS in $sanitize if an inert document created via `document.implementation.createHTMLDocument()`
is used. Angular version 1.6.5 checks for these vulnerabilities and then use a DOMParser or XHR strategy if needed. Please refer to vendor documentation (https://github.com/angular/angular.js/commit/ 8f31f1ff43b673a24f84422d5c13d6312b2c4d94) for latest security updates. Found on the following pages (only first 10 pages are reported): https://<ip>:<port>/ https://<ip>:<port>/#/completed-jobs https://<ip>:<port>/#/jobmanager/config https://<ip>:<port>/#/overview https://<ip>:<port>/#/running-jobs https://<ip>:<port>/#/submit https://<ip>:<port>/#/taskmanagers https://<ip>:<port>/#/jobmanager/log https://<ip>:<port>/#/jobmanager/stdout https://<ip>:<port>/#/taskmanager/100474b27dcd8eeb9f3ff38c952977c9/log #1 Response Vulnerable javascript library: Bootstrap version: 3.3.6 Details: The data-target attribute in bootstrap versions below 3.4.0 is vulnerable to Cross-Site Scripting(XSS) attacks. Please refer to vendor
documentation (https://github.com/twbs/bootstrap/pull/23687, https:// github.com/twbs/bootstrap/issues/20184) for the latest security updates. ---------------------------------------------- CVE-2019-8331: In bootstrap versions before 3.4.1, data-template, data-content and data-title properties of tooltip or popover are
vulnerable to Cross-Site Scripting(XSS) attacks. Please refer to vendor documentation (https://github.com/twbs/bootstrap/issues/28236) for latest security updates. Found on the following pages (only first 10 pages are reported): https://<ip>:<port>/ https://<ip>:<port>/#/completed-jobs https://<ip>:<port>/#/jobmanager/config https://<ip>:<port>/#/overview https://<ip>:<port>/#/running-jobs https://<ip>:<port>/#/submit https://<ip>:<port>/#/taskmanagers https://<ip>:<port>/#/jobmanager/log https://<ip>:<port>/#/jobmanager/stdout https://<ip>:<port>/#/taskmanager/100474b27dcd8eeb9f3ff38c952977c9/log Vulnerable javascript library: moment version: 2.10.6 Details: CVE-2016-4055: moment versions below 2.11.2 are vulnerable to regular expression denial of service when user input is passed unchecked
into moment.duration() blocking the event loop for a period of time.(https://github.com/moment/moment/issues/2936). Solution: moment version 2.11.2 has been released to address the issue. Please refer to vendor documentation (https://github.com/moment/moment/blob/develop/CHANGELOG.md,
https://nvd.nist.gov/ vuln/detail/CVE-2016-4055 ) for latest security updates. Found on the following pages (only first 10 pages are reported): https://<ip>:<port>/ https://<ip>:<port>/#/completed-jobs https://<ip>:<port>/#/jobmanager/config https://<ip>:<port>/#/overview https://<ip>:<port>/#/running-jobs https://<ip>:<port>/#/submit https://<ip>:<port>/#/taskmanagers https://<ip>:<port>/#/jobmanager/log https://<ip>:<port>/#/jobmanager/stdout https://<ip>:<port>/#/taskmanager/100474b27dcd8eeb9f3ff38c952977c9/log [4] 150081 X-Frame-Options header is not set
(10) Severity
Potential Vulnerability - Level 1 Group
Information Disclosure CVSS Base
5
CVSS Temporal4.1 Threat The X-Frame-Options header is not set in the HTTP response, which may lead to a possible framing of the page. An attacker can trick users
into clicking on a malicious link by framing the original page and showing a layer on top of it with legitimate-looking buttons. #1 Request Payload
N/A Request
GET https://<ip>:<port>/ #1 Host: <ip>:<port> #3 Accept: */* #1 Response The response for this request either did not have an "X-FRAME-OPTIONS" header present or was not set to DENY or SAMEORIGIN Request
GET
https://<ip>:<port>/partials/jobs/running-jobs.html Request
GET
https://<ip>:<port>/partials/submit.html Request
GET
https://<ip>:<port>/partials/jobmanager/stdout.html Request
GET
https://<ip>:<port>/partials/jobs/completed-jobs.html Request
GET
https://<ip>:<port>/partials/taskmanager/index.html Request
GET
https://<ip>:<port>/partials/jobmanager/log.html Request
GET
https://<ip>:<port>/partials/jobmanager/index.html Request
GET
https://<ip>:<port>/partials/overview.html Request
GET
https://<ip>:<port>/partials/jobmanager/config.html [5] 150202 Missing header: X-Content-Type-Options Severity
Information Gathered - Level 2 Group
Information Gathered Threat The X-Content-Type-Options response header is not present. WAS reports missing X-Content-Type-Options header on each crawled link with
all types of static and dynamic response. The scanner performs the check on 4xx and 5xx responses too. It's possible to see a directory link reported for
QID as well. X-Content-Type-Options: Header missing Response headers on link: GET https://<ip>:<port>/ response code: 200 Content-Type: text/html Date: Fri, 05 Jul 2019 01:22:22 GMT Expires: Fri, 05 Jul 2019 01:27:22 GMT Cache-Control: private, max-age=300 Last-Modified: Mon, 01 Jul 2019 09:45:33 GMT Connection: keep-alive Content-Length: 3306 Header missing on the following link(s): (Only first 50 such pages are listed) GET https://<ip>:<port>/ response code: 200 GET https://<ip>:<port>/images/safari-pinned-tab.svg response code: 200 GET https://<ip>:<port>/js/index.js response code: 200 GET https://<ip>:<port>/images/favicon-32x32.png response code: 200 GET https://<ip>:<port>/images/apple-touch-icon.png response code: 200 GET https://<ip>:<port>/images/favicon.ico response code: 200 GET https://<ip>:<port>/js/vendor.js response code: 200 GET https://<ip>:<port>/css/vendor.css response code: 200 GET https://<ip>:<port>/css/index.css response code: 200 GET https://<ip>:<port>/images/favicon-16x16.png response code: 200 GET https://<ip>:<port>/images/manifest.json response code: 200 GET https://<ip>:<port>/config response code: 200 GET https://<ip>:<port>/fonts/fontawesome-webfont.ttf?v=4.5.0 response code: 200 GET https://<ip>:<port>/fonts/fontawesome-webfont.woff2?v=4.5.0 response code: 200 GET https://<ip>:<port>/fonts/fontawesome-webfont.woff?v=4.5.0 response code: 200 GET https://<ip>:<port>/jobs/overview response code: 200 GET https://<ip>:<port>/overview response code: 200 GET https://<ip>:<port>/partials/overview.html response code: 200 GET https://<ip>:<port>/favicon.ico response code: 404 GET https://<ip>:<port>/partials/jobs/completed-jobs.html response code: 200 GET https://<ip>:<port>/jobmanager/config response code: 200 GET https://<ip>:<port>/partials/jobmanager/config.html response code: 200 GET https://<ip>:<port>/partials/jobmanager/index.html response code: 200 GET https://<ip>:<port>/partials/jobs/running-jobs.html response code: 200 GET https://<ip>:<port>/jars/ response code: 200 GET https://<ip>:<port>/partials/submit.html response code: 200 GET https://<ip>:<port>/partials/taskmanager/index.html response code: 200 GET https://<ip>:<port>/taskmanagers response code: 200 GET https://<ip>:<port>/jobmanager/log response code: 200 GET https://<ip>:<port>/partials/jobmanager/log.html response code: 200 GET https://<ip>:<port>/jobmanager/stdout response code: 200 GET https://<ip>:<port>/partials/jobmanager/stdout.html response code: 200 GET https://<ip>:<port>/partials/%257B%257B'%23/jobs/'%20+%20jid%7D%7D response code: 404 GET https://<ip>:<port>/partials/taskmanager/taskmanager.html response code: 200 GET https://<ip>:<port>/partials/taskmanager/taskmanager.metrics.html response code: 200 GET https://<ip>:<port>/taskmanagers/100474b27dcd8eeb9f3ff38c952977c9 response code: 200 GET https://<ip>:<port>/partials/jobmanager/jobmanager/log response code: 404 GET https://<ip>:<port>/partials/jobmanager/jobmanager/stdout response code: 404 GET https://<ip>:<port>/taskmanagers/100474b27dcd8eeb9f3ff38c952977c9/log response code: 500 GET https://<ip>:<port>/partials/taskmanager/taskmanager.log.html response code: 200 GET https://<ip>:<port>/taskmanagers/100474b27dcd8eeb9f3ff38c952977c9/stdout response code: 500 GET https://<ip>:<port>/partials/taskmanager/taskmanager.stdout.html response code: 200 GET https://<ip>:<port>/partials/taskmanager/taskmanagers/%7B%7Btaskmanagerid%7D%7D/log response code: 404 GET https://<ip>:<port>/partials/taskmanager/taskmanagers/%257B%257Btaskmanagerid%257D%257D/log response code: 404 GET https://<ip>:<port>/partials/taskmanager/taskmanagers/%7B%7Btaskmanagerid%7D%7D/stdout response code: 404 GET https://<ip>:<port>/partials/taskmanager/taskmanagers/%257B%257Btaskmanagerid%257D%257D/stdout response code: 404 [6] 150204 Missing header: X-XSS-Protection Severity
Information Gathered - Level 1 Group
Information Gathered Threat The X-XSS-Protection response header is not present. X-Xss-Protection: Header missing Response headers on link: GET https://<ip>:<port>/ response code: 200 Content-Type: text/html Date: Fri, 05 Jul 2019 01:22:22 GMT Expires: Fri, 05 Jul 2019 01:27:22 GMT Cache-Control: private, max-age=300 Last-Modified: Mon, 01 Jul 2019 09:45:33 GMT Connection: keep-alive Content-Length: 3306 Header missing on the following link(s): (Only first 50 such pages are listed) GET https://<ip>:<port>/ response code: 200 GET https://<ip>:<port>/partials/overview.html response code: 200 GET https://<ip>:<port>/partials/jobs/completed-jobs.html response code: 200 GET https://<ip>:<port>/partials/jobmanager/config.html response code: 200 GET https://<ip>:<port>/partials/jobmanager/index.html response code: 200 GET https://<ip>:<port>/partials/jobs/running-jobs.html response code: 200 GET https://<ip>:<port>/partials/submit.html response code: 200 GET https://<ip>:<port>/partials/taskmanager/index.html response code: 200 GET https://<ip>:<port>/jobmanager/log response code: 200 GET https://<ip>:<port>/partials/jobmanager/log.html response code: 200 GET https://<ip>:<port>/jobmanager/stdout response code: 200 [7] 150135 HTTP Strict Transport Security (HSTS) header missing/misconfigured. Severity
Information Gathered - Level 1 Group
Information Gathered Threat HTTP Strict Transport Security (HSTS) header found to be missing or misconfigured. HSTS header dictates to a conforming browser that
the current and all subsequent connections (for a configurable amount of time) to the subject website should only be performed over a secure transport layer.
Additionally, users are not permitted to bypass SSL/TLS certificate errors; preventing browser click-throughs in the event of expired or otherwise untrusted certificates. Strict Transport Security header missing for https://<ip>:<port>/ Regards, Suchithra |
Re: Apache flink 1.7.2 security issues
|
|
Hi! Thank you for reporting this! At the moment, the Flink REST endpoint is not secure in the way that you can expose it publicly. After all, you can submit Flink jobs to it which by definition support executing arbitrary code. Given that access to the REST endpoint allows by design arbitrary code execution (running a Flink job), these reported vulnerabilities are probably not as critical. In light of that, the REST endpoint needs to be exposed in a secure way (SSL mutual auth, an authenticating proxy, etc.). Nevertheless, let us see whether we can update at least the web UI dependencies to newer versions which are not subject to these exploits, to take a step towards making the REST endpoint more suitable to be public facing. Best, Stephan On Sun, Aug 11, 2019 at 6:20 PM V N, Suchithra (Nokia - IN/Bangalore) <[hidden email]> wrote:
|
Apache flink 1.7.2 security issues
|
|
In reply to this post by V N, Suchithra (Nokia - IN/Bangalore)
Hello, We are using Apache Flink 1.7.2 version. During our security scans following issues are reported by our scan tool. Please let us know your comments on these issues. [1] 150085 Slow HTTP POST vulnerability Severity
Potential Vulnerability - Level 3 Group
Information Disclosure Threat The web application is possibly vulnerable to a "slow HTTP POST" Denial of Service (DoS) attack. This is an application-level DoS that
consumes server resources by maintaining open connections for an extended period of time by slowly sending traffic to the server. If the server maintains
too many connections open at once, then it may not be able to respond to new, legitimate connections. #1 Request Payload
N/A Request
POST
<a href="https://%3cip%3e:%3cport%3e/">https://<ip>:<port>/ #1 Host: <ip>:<port> #3 Accept: */* #4 Content-Type: application/x-www-form-urlencoded #1 Response Vulnerable to slow HTTP POST attack Connection with partial POST body remained open for: 312932 milliseconds [2] 150124 Clickjacking - Framable Page (10) Severity
Confirmed Vulnerability - Level 3 Group
Information Disclosure CVSS Base
6.4
CVSS Temporal5.8 Threat The web page can be framed. This means that clickjacking attacks against users are possible. #1 Request Payload
N/A Request
GET
<a href="https://%3cip%3e:%3cport%3e/">https://<ip>:<port>/ #1 Host: <ip>:<port> #3 Accept: */* #1 Response The URI was framed. Below url’s have also reported the same issues and response was same. Request
GET
<a href="https://%3cip%3e:%3cport%3e/partials/jobs/running-jobs.html">https://<ip>:<port>/partials/jobs/running-jobs.html Request
GET
<a href="https://%3cip%3e:%3cport%3e/partials/submit.html">https://<ip>:<port>/partials/submit.html Request
GET
<a href="https://%3cip%3e:%3cport%3e/partials/jobmanager/stdout.html">https://<ip>:<port>/partials/jobmanager/stdout.html Request
GET
<a href="https://%3cip%3e:%3cport%3e/partials/jobs/completed-jobs.html">https://<ip>:<port>/partials/jobs/completed-jobs.html Request
GET
<a href="https://%3cip%3e:%3cport%3e/partials/taskmanager/index.html">https://<ip>:<port>/partials/taskmanager/index.html Request
GET
https://<ip>:<port>/partials/jobmanager/log.html Request
GET
<a href="https://%3cip%3e:%3cport%3e/partials/jobmanager/index.html">https://<ip>:<port>/partials/jobmanager/index.html Request
GET
<a href="https://%3cip.:%3cport%3e/partials/overview.html">https://<ip.:<port>/partials/overview.html Request
GET
<a href="https://%3cip%3e:%3cport%3e/partials/jobmanager/config.html">https://<ip>:<port>/partials/jobmanager/config.html [3] 150162 Use of JavaScript Library with Known Vulnerability (4) Threat The web application is using a JavaScript library that is known to contain at least one vulnerability. #1 Request Payload
- Request
GET
<a href="https://%3cip%3e:%3cport%3e/">https://<ip>:<port>/ #1 Host: <ip>:<port> #3 Accept: */* #1 Response Vulnerable javascript library: jQuery version: 2.2.0 Details: CVE-2015-9251: jQuery versions on or above 1.4.0 and below 1.12.0 (version 1.12.3 and above but below 3.0.0-beta1 as well) are vulnerable
to XSS via 3rd party text/javascript responses(3rd party CORS request may execute). (https://github.com/jquery/jquery/issues/2432). Solution: jQuery version 3.0.0 has been released to address the issue (http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/).
Please refer to vendor documentation (https://blog.jquery.com/) for the latest security updates. Found on the following pages (only first 10 pages are reported): <a href="https://%3cip%3e:%3cport%3e/">https://<ip>:<port>/ <a href="https://%3cip%3e:%3cport%3e/#/completed-jobs">https://<ip>:<port>/#/completed-jobs <a href="https://%3cip%3e:%3cport%3e/#/jobmanager/config">https://<ip>:<port>/#/jobmanager/config <a href="https://%3cip%3e:%3cport%3e/#/overview">https://<ip>:<port>/#/overview <a href="https://%3cip%3e:%3cport%3e/#/running-jobs">https://<ip>:<port>/#/running-jobs <a href="https://%3cip%3e:%3cport%3e/#/submit">https://<ip>:<port>/#/submit <a href="https://%3cip%3e:%3cport%3e/#/taskmanagers">https://<ip>:<port>/#/taskmanagers <a href="https://%3cip%3e:%3cport%3e/#/jobmanager/log">https://<ip>:<port>/#/jobmanager/log <a href="https://%3cip%3e:%3cport%3e/#/jobmanager/stdout">https://<ip>:<port>/#/jobmanager/stdout <a href="https://%3cip%3e:%3cport%3e/#/taskmanager/100474b27dcd8eeb9f3ff38c952977c9/log">https://<ip>:<port>/#/taskmanager/100474b27dcd8eeb9f3ff38c952977c9/log #1 Response Vulnerable javascript library: Angular version: 1.4.8 Details: In angular versions below 1.6.5 both Firefox and Safari are vulnerable to XSS in $sanitize if an inert document created via `document.implementation.createHTMLDocument()`
is used. Angular version 1.6.5 checks for these vulnerabilities and then use a DOMParser or XHR strategy if needed. Please refer to vendor documentation (https://github.com/angular/angular.js/commit/ 8f31f1ff43b673a24f84422d5c13d6312b2c4d94) for latest security updates. Found on the following pages (only first 10 pages are reported): <a href="https://%3cip%3e:%3cport%3e/">https://<ip>:<port>/ <a href="https://%3cip%3e:%3cport%3e/#/completed-jobs">https://<ip>:<port>/#/completed-jobs <a href="https://%3cip%3e:%3cport%3e/#/jobmanager/config">https://<ip>:<port>/#/jobmanager/config <a href="https://%3cip%3e:%3cport%3e/#/overview">https://<ip>:<port>/#/overview <a href="https://%3cip%3e:%3cport%3e/#/running-jobs">https://<ip>:<port>/#/running-jobs <a href="https://%3cip%3e:%3cport%3e/#/submit">https://<ip>:<port>/#/submit <a href="https://%3cip%3e:%3cport%3e/#/taskmanagers">https://<ip>:<port>/#/taskmanagers <a href="https://%3cip%3e:%3cport%3e/#/jobmanager/log">https://<ip>:<port>/#/jobmanager/log <a href="https://%3cip%3e:%3cport%3e/#/jobmanager/stdout">https://<ip>:<port>/#/jobmanager/stdout https://<ip>:<port>/#/taskmanager/100474b27dcd8eeb9f3ff38c952977c9/log #1 Response Vulnerable javascript library: Bootstrap version: 3.3.6 Details: The data-target attribute in bootstrap versions below 3.4.0 is vulnerable to Cross-Site Scripting(XSS) attacks. Please refer to vendor
documentation (https://github.com/twbs/bootstrap/pull/23687, https:// github.com/twbs/bootstrap/issues/20184) for the latest security updates. ---------------------------------------------- CVE-2019-8331: In bootstrap versions before 3.4.1, data-template, data-content and data-title properties of tooltip or popover are
vulnerable to Cross-Site Scripting(XSS) attacks. Please refer to vendor documentation (https://github.com/twbs/bootstrap/issues/28236) for latest
security updates. Found on the following pages (only first 10 pages are reported): <a href="https://%3cip%3e:%3cport%3e/">https://<ip>:<port>/ <a href="https://%3cip%3e:%3cport%3e/#/completed-jobs">https://<ip>:<port>/#/completed-jobs <a href="https://%3cip%3e:%3cport%3e/#/jobmanager/config">https://<ip>:<port>/#/jobmanager/config <a href="https://%3cip%3e:%3cport%3e/#/overview">https://<ip>:<port>/#/overview <a href="https://%3cip%3e:%3cport%3e/#/running-jobs">https://<ip>:<port>/#/running-jobs <a href="https://%3cip%3e:%3cport%3e/#/submit">https://<ip>:<port>/#/submit <a href="https://%3cip%3e:%3cport%3e/#/taskmanagers">https://<ip>:<port>/#/taskmanagers <a href="https://%3cip%3e:%3cport%3e/#/jobmanager/log">https://<ip>:<port>/#/jobmanager/log <a href="https://%3cip%3e:%3cport%3e/#/jobmanager/stdout">https://<ip>:<port>/#/jobmanager/stdout https://<ip>:<port>/#/taskmanager/100474b27dcd8eeb9f3ff38c952977c9/log Vulnerable javascript library: moment version: 2.10.6 Details: CVE-2016-4055: moment versions below 2.11.2 are vulnerable to regular expression denial of service when user input is passed unchecked
into moment.duration() blocking the event loop for a period of time.(https://github.com/moment/moment/issues/2936). Solution: moment version 2.11.2 has been released to address the issue. Please refer to vendor documentation (https://github.com/moment/moment/blob/develop/CHANGELOG.md,
https://nvd.nist.gov/ vuln/detail/CVE-2016-4055 ) for latest security updates. Found on the following pages (only first 10 pages are reported): <a href="https://%3cip%3e:%3cport%3e/">https://<ip>:<port>/ <a href="https://%3cip%3e:%3cport%3e/#/completed-jobs">https://<ip>:<port>/#/completed-jobs <a href="https://%3cip%3e:%3cport%3e/#/jobmanager/config">https://<ip>:<port>/#/jobmanager/config <a href="https://%3cip%3e:%3cport%3e/#/overview">https://<ip>:<port>/#/overview <a href="https://%3cip%3e:%3cport%3e/#/running-jobs">https://<ip>:<port>/#/running-jobs <a href="https://%3cip%3e:%3cport%3e/#/submit">https://<ip>:<port>/#/submit <a href="https://%3cip%3e:%3cport%3e/#/taskmanagers">https://<ip>:<port>/#/taskmanagers <a href="https://%3cip%3e:%3cport%3e/#/jobmanager/log">https://<ip>:<port>/#/jobmanager/log <a href="https://%3cip%3e:%3cport%3e/#/jobmanager/stdout">https://<ip>:<port>/#/jobmanager/stdout <a href="https://%3cip%3e:%3cport%3e/#/taskmanager/100474b27dcd8eeb9f3ff38c952977c9/log">https://<ip>:<port>/#/taskmanager/100474b27dcd8eeb9f3ff38c952977c9/log [4] 150081 X-Frame-Options header is not set
(10) Severity
Potential Vulnerability - Level 1 Group
Information Disclosure CVSS Base
5
CVSS Temporal4.1 Threat The X-Frame-Options header is not set in the HTTP response, which may lead to a possible framing of the page. An attacker can trick users
into clicking on a malicious link by framing the original page and showing a layer on top of it with legitimate-looking buttons. #1 Request Payload
N/A Request
GET
<a href="https://%3cip%3e:%3cport%3e/">https://<ip>:<port>/ #1 Host: <ip>:<port> #3 Accept: */* #1 Response The response for this request either did not have an "X-FRAME-OPTIONS" header present or was not set to DENY or SAMEORIGIN Request
GET
https://<ip>:<port>/partials/jobs/running-jobs.html Request
GET
https://<ip>:<port>/partials/submit.html Request
GET
https://<ip>:<port>/partials/jobmanager/stdout.html Request
GET
https://<ip>:<port>/partials/jobs/completed-jobs.html Request
GET
https://<ip>:<port>/partials/taskmanager/index.html Request
GET
https://<ip>:<port>/partials/jobmanager/log.html Request
GET
https://<ip>:<port>/partials/jobmanager/index.html Request
GET
https://<ip>:<port>/partials/overview.html Request
GET
https://<ip>:<port>/partials/jobmanager/config.html [5] 150202 Missing header: X-Content-Type-Options Severity
Information Gathered - Level 2 Group
Information Gathered Threat The X-Content-Type-Options response header is not present. WAS reports missing X-Content-Type-Options header on each crawled link with
all types of static and dynamic response. The scanner performs the check on 4xx and 5xx responses too. It's possible to see a directory link reported for
QID as well. X-Content-Type-Options: Header missing Response headers on link: GET
<a href="https://%3cip%3e:%3cport%3e/">https://<ip>:<port>/ response code: 200 Content-Type: text/html Date: Fri, 05 Jul 2019 01:22:22 GMT Expires: Fri, 05 Jul 2019 01:27:22 GMT Cache-Control: private, max-age=300 Last-Modified: Mon, 01 Jul 2019 09:45:33 GMT Connection: keep-alive Content-Length: 3306 Header missing on the following link(s): (Only first 50 such pages are listed) GET
<a href="https://%3cip%3e:%3cport%3e/">https://<ip>:<port>/ response code: 200 GET
<a href="https://%3cip%3e:%3cport%3e/images/safari-pinned-tab.svg">https://<ip>:<port>/images/safari-pinned-tab.svg response code: 200 GET
<a href="https://%3cip%3e:%3cport%3e/js/index.js">https://<ip>:<port>/js/index.js response code: 200 GET
<a href="https://%3cip%3e:%3cport%3e/images/favicon-32x32.png">https://<ip>:<port>/images/favicon-32x32.png response code: 200 GET
<a href="https://%3cip%3e:%3cport%3e/images/apple-touch-icon.png">https://<ip>:<port>/images/apple-touch-icon.png response code: 200 GET
<a href="https://%3cip%3e:%3cport%3e/images/favicon.ico">https://<ip>:<port>/images/favicon.ico response code: 200 GET
<a href="https://%3cip%3e:%3cport%3e/js/vendor.js">https://<ip>:<port>/js/vendor.js response code: 200 GET
<a href="https://%3cip%3e:%3cport%3e/css/vendor.css">https://<ip>:<port>/css/vendor.css response code: 200 GET
<a href="https://%3cip%3e:%3cport%3e/css/index.css">https://<ip>:<port>/css/index.css response code: 200 GET
<a href="https://%3cip%3e:%3cport%3e/images/favicon-16x16.png">https://<ip>:<port>/images/favicon-16x16.png response code: 200 GET
<a href="https://%3cip%3e:%3cport%3e/images/manifest.json">https://<ip>:<port>/images/manifest.json response code: 200 GET
<a href="https://%3cip%3e:%3cport%3e/config">https://<ip>:<port>/config response code: 200 GET
<a href="https://%3cip%3e:%3cport%3e/fonts/fontawesome-webfont.ttf?v=4.5.0">https://<ip>:<port>/fonts/fontawesome-webfont.ttf?v=4.5.0 response code: 200 GET
<a href="https://%3cip%3e:%3cport%3e/fonts/fontawesome-webfont.woff2?v=4.5.0">https://<ip>:<port>/fonts/fontawesome-webfont.woff2?v=4.5.0 response code: 200 GET
<a href="https://%3cip%3e:%3cport%3e/fonts/fontawesome-webfont.woff?v=4.5.0">https://<ip>:<port>/fonts/fontawesome-webfont.woff?v=4.5.0 response code: 200 GET
<a href="https://%3cip%3e:%3cport%3e/jobs/overview">https://<ip>:<port>/jobs/overview response code: 200 GET
<a href="https://%3cip%3e:%3cport%3e/overview">https://<ip>:<port>/overview response code: 200 GET
<a href="https://%3cip%3e:%3cport%3e/partials/overview.html">https://<ip>:<port>/partials/overview.html response code: 200 GET
<a href="https://%3cip%3e:%3cport%3e/favicon.ico">https://<ip>:<port>/favicon.ico response code: 404 GET
<a href="https://%3cip%3e:%3cport%3e/partials/jobs/completed-jobs.html">https://<ip>:<port>/partials/jobs/completed-jobs.html response code: 200 GET
<a href="https://%3cip%3e:%3cport%3e/jobmanager/config">https://<ip>:<port>/jobmanager/config response code: 200 GET
<a href="https://%3cip%3e:%3cport%3e/partials/jobmanager/config.html">https://<ip>:<port>/partials/jobmanager/config.html response code: 200 GET
<a href="https://%3cip%3e:%3cport%3e/partials/jobmanager/index.html">https://<ip>:<port>/partials/jobmanager/index.html response code: 200 GET
<a href="https://%3cip%3e:%3cport%3e/partials/jobs/running-jobs.html">https://<ip>:<port>/partials/jobs/running-jobs.html response code: 200 GET
<a href="https://%3cip%3e:%3cport%3e/jars/">https://<ip>:<port>/jars/ response code: 200 GET
<a href="https://%3cip%3e:%3cport%3e/partials/submit.html">https://<ip>:<port>/partials/submit.html response code: 200 GET
<a href="https://%3cip%3e:%3cport%3e/partials/taskmanager/index.html">https://<ip>:<port>/partials/taskmanager/index.html response code: 200 GET
<a href="https://%3cip%3e:%3cport%3e/taskmanagers">https://<ip>:<port>/taskmanagers response code: 200 GET
<a href="https://%3cip%3e:%3cport%3e/jobmanager/log">https://<ip>:<port>/jobmanager/log response code: 200 GET
<a href="https://%3cip%3e:%3cport%3e/partials/jobmanager/log.html">https://<ip>:<port>/partials/jobmanager/log.html response code: 200 GET
<a href="https://%3cip%3e:%3cport%3e/jobmanager/stdout">https://<ip>:<port>/jobmanager/stdout response code: 200 GET
<a href="https://%3cip%3e:%3cport%3e/partials/jobmanager/stdout.html">https://<ip>:<port>/partials/jobmanager/stdout.html response code: 200 GET
<a href="https://%3cip%3e:%3cport%3e/partials/%257B%257B'%23/jobs/'%20+%20jid%7D%7D">
https://<ip>:<port>/partials/%257B%257B'%23/jobs/'%20+%20jid%7D%7D response code: 404 GET
<a href="https://%3cip%3e:%3cport%3e/partials/taskmanager/taskmanager.html">https://<ip>:<port>/partials/taskmanager/taskmanager.html response code: 200 GET
<a href="https://%3cip%3e:%3cport%3e/partials/taskmanager/taskmanager.metrics.html">
https://<ip>:<port>/partials/taskmanager/taskmanager.metrics.html response code: 200 GET
<a href="https://%3cip%3e:%3cport%3e/taskmanagers/100474b27dcd8eeb9f3ff38c952977c9">
https://<ip>:<port>/taskmanagers/100474b27dcd8eeb9f3ff38c952977c9 response code: 200 GET
<a href="https://%3cip%3e:%3cport%3e/partials/jobmanager/jobmanager/log">https://<ip>:<port>/partials/jobmanager/jobmanager/log response code: 404 GET
<a href="https://%3cip%3e:%3cport%3e/partials/jobmanager/jobmanager/stdout">https://<ip>:<port>/partials/jobmanager/jobmanager/stdout response code: 404 GET
<a href="https://%3cip%3e:%3cport%3e/taskmanagers/100474b27dcd8eeb9f3ff38c952977c9/log">
https://<ip>:<port>/taskmanagers/100474b27dcd8eeb9f3ff38c952977c9/log response code: 500 GET
<a href="https://%3cip%3e:%3cport%3e/partials/taskmanager/taskmanager.log.html">https://<ip>:<port>/partials/taskmanager/taskmanager.log.html response code: 200 GET
<a href="https://%3cip%3e:%3cport%3e/taskmanagers/100474b27dcd8eeb9f3ff38c952977c9/stdout">
https://<ip>:<port>/taskmanagers/100474b27dcd8eeb9f3ff38c952977c9/stdout response code: 500 GET
<a href="https://%3cip%3e:%3cport%3e/partials/taskmanager/taskmanager.stdout.html">
https://<ip>:<port>/partials/taskmanager/taskmanager.stdout.html response code: 200 GET
<a href="https://%3cip%3e:%3cport%3e/partials/taskmanager/taskmanagers/%7B%7Btaskmanagerid%7D%7D/log">
https://<ip>:<port>/partials/taskmanager/taskmanagers/%7B%7Btaskmanagerid%7D%7D/log response code: 404 GET
<a href="https://%3cip%3e:%3cport%3e/partials/taskmanager/taskmanagers/%257B%257Btaskmanagerid%257D%257D/log">
https://<ip>:<port>/partials/taskmanager/taskmanagers/%257B%257Btaskmanagerid%257D%257D/log response code: 404 GET
<a href="https://%3cip%3e:%3cport%3e/partials/taskmanager/taskmanagers/%7B%7Btaskmanagerid%7D%7D/stdout">
https://<ip>:<port>/partials/taskmanager/taskmanagers/%7B%7Btaskmanagerid%7D%7D/stdout response code: 404 GET
<a href="https://%3cip%3e:%3cport%3e/partials/taskmanager/taskmanagers/%257B%257Btaskmanagerid%257D%257D/stdout">
https://<ip>:<port>/partials/taskmanager/taskmanagers/%257B%257Btaskmanagerid%257D%257D/stdout response code: 404 [6] 150204 Missing header: X-XSS-Protection Severity
Information Gathered - Level 1 Group
Information Gathered Threat The X-XSS-Protection response header is not present. X-Xss-Protection: Header missing Response headers on link: GET
<a href="https://%3cip%3e:%3cport%3e/">https://<ip>:<port>/ response code: 200 Content-Type: text/html Date: Fri, 05 Jul 2019 01:22:22 GMT Expires: Fri, 05 Jul 2019 01:27:22 GMT Cache-Control: private, max-age=300 Last-Modified: Mon, 01 Jul 2019 09:45:33 GMT Connection: keep-alive Content-Length: 3306 Header missing on the following link(s): (Only first 50 such pages are listed) GET
<a href="https://%3cip%3e:%3cport%3e/">https://<ip>:<port>/ response code: 200 GET
<a href="https://%3cip%3e:%3cport%3e/partials/overview.html">https://<ip>:<port>/partials/overview.html response code: 200 GET
<a href="https://%3cip%3e:%3cport%3e/partials/jobs/completed-jobs.html">https://<ip>:<port>/partials/jobs/completed-jobs.html response code: 200 GET
<a href="https://%3cip%3e:%3cport%3e/partials/jobmanager/config.html">https://<ip>:<port>/partials/jobmanager/config.html response code: 200 GET
<a href="https://%3cip%3e:%3cport%3e/partials/jobmanager/index.html">https://<ip>:<port>/partials/jobmanager/index.html response code: 200 GET
<a href="https://%3cip%3e:%3cport%3e/partials/jobs/running-jobs.html">https://<ip>:<port>/partials/jobs/running-jobs.html response code: 200 GET
<a href="https://%3cip%3e:%3cport%3e/partials/submit.html">https://<ip>:<port>/partials/submit.html response code: 200 GET
<a href="https://%3cip%3e:%3cport%3e/partials/taskmanager/index.html">https://<ip>:<port>/partials/taskmanager/index.html response code: 200 GET
<a href="https://%3cip%3e:%3cport%3e/jobmanager/log">https://<ip>:<port>/jobmanager/log response code: 200 GET
<a href="https://%3cip%3e:%3cport%3e/partials/jobmanager/log.html">https://<ip>:<port>/partials/jobmanager/log.html response code: 200 GET
<a href="https://%3cip%3e:%3cport%3e/jobmanager/stdout">https://<ip>:<port>/jobmanager/stdout response code: 200 [7] 150135 HTTP Strict Transport Security (HSTS) header missing/misconfigured. Severity
Information Gathered - Level 1 Group
Information Gathered Threat HTTP Strict Transport Security (HSTS) header found to be missing or misconfigured. HSTS header dictates to a conforming browser that
the current and all subsequent connections (for a configurable amount of time) to the subject website should only be performed over a secure transport layer.
Additionally, users are not permitted to bypass SSL/TLS certificate errors; preventing browser click-throughs in the event of expired or otherwise untrusted certificates. Strict Transport Security header missing for <a href="https://%3cip%3e:%3cport%3e/">https://<ip>:<port>/ Regards, Suchithra |
Re: Apache flink 1.7.2 security issues
|
|
Thanks for reporting this issue. It is already discussed on Flink's dev mailing list in this thread: Please continue the discussion there. Thanks, Fabian Am Di., 13. Aug. 2019 um 13:33 Uhr schrieb V N, Suchithra (Nokia - IN/Bangalore) <[hidden email]>:
|
Re: Apache flink 1.7.2 security issues
|
|
In reply to this post by V N, Suchithra (Nokia - IN/Bangalore)
The flink job manager UI isn't meant to be accessed from outside a firewall I think. Plus I dont think it was designed with security in mind and honestly it doesn't need to in my opinion. If you need security then address your network setup. And if it is still a problem the just turn off the UI and use CLI. Tim On Tue, Aug 13, 2019, 6:33 AM V N, Suchithra (Nokia - IN/Bangalore) <[hidden email]> wrote:
|
| Free forum by Nabble | Edit this page |