Vulnerability alert on my HDP 3.1.0.0-78 version. (jquery).

DavidGM — Tue, 16 Jun 2020 21:09:40 GMT

It says a problem with the current version of jquery.

URL : "http://<myip>:8042/static/jquery/jquery-3.3.1.min.js" Installed version : 3.3.1 Fixed version : 3.5.0

Vulnerability link:

" https://www.tenable.com/plugins/nessus/136929"

Finding description: JQuery 1.2 > 3.50 XSS

Is there like a workaround to overcome this vulnerability ? or is necessary to upgrade to a newer version of HDP?

Would be possible to upgrade jquery version only ?

Thanks in advance..!

Re: Vulnerability alert on my HDP 3.1.0.0-78 version. (jquery).

DavidGM — Mon, 22 Jun 2020 19:11:15 GMT

This is the yarn parameter that holds the port 8042:

yarn.nodemanager.webapp.address

Re: Vulnerability alert on my HDP 3.1.0.0-78 version. (jquery).

DavidGM — Tue, 23 Jun 2020 19:03:30 GMT

Looks like the vulnerability is still present on the latest release of HDP v3.1.5.

That means that, so far, there is not way to solve it.

Hopefully, downloading the new library from jquery.com would help, but still instructions about what, how and where do the modifications still will be required by Cloudera engineers.

Re: Vulnerability alert on my HDP 3.1.0.0-78 version. (jquery).

stevenmatison — Tue, 23 Jun 2020 20:29:44 GMT

@DavidGM You have a few options here:

1. Your yarn UI probably should not just be wide open to vulnerability scans. Consider securing the UI, blocking external access to unauthorized parties. Check out kerberos, yarn + SSL, LDAP/AD, etc. If the scanning application cannot see the UI, they cannot see or try to read the jQuery versions. This is then a pass. This is a standard practice for internally facing applications versus live web/ip public applications that are vulnerable to automated version exploits. That said, I am an advocate for passing the scans, not just firewalling them away.

2. You could build Yarn from source yourself with the jQuery versions that satisfy your scan requirements. This requires some serious thought and planning as it isn't a simple task and would not be supported through traditional channels.

3. You can hack into the file system and change the files directly. Similar to #2, this is going to be unsupported, but sometimes, you just have to do whatever it takes to pass a vulnerability scan.

For example, lets look under the hood for where these files exist for #3.

[root@c7301 /]# find . -name 'jquery-3.3.1.min.js'
./usr/hdp/3.1.0.0-78/hadoop-hdfs/webapps/static/jquery-3.3.1.min.js
./hadoop/yarn/local/filecache/10/mapreduce.tar.gz/hadoop/share/hadoop/hdfs/webapps/static/jquery-3.3.1.min.js

[root@c7301 hadoop-hdfs]# grep -lr 'jquery-3.3.1.min.js' *
hadoop-hdfs-3.1.1.3.1.0.0-78-tests.jar
hadoop-hdfs-tests.jar
webapps/datanode/datanode.html
webapps/hdfs/dfshealth.html
webapps/hdfs/explorer.html
webapps/journal/index.html
webapps/router/federationhealth.html
webapps/secondary/status.html

For #2, these are relevant file searches on the source code:

[root@c7301 hadoop-3.2.1-src]# find . -name *.min.js | grep jquery
./hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/webapps/static/jquery/jquery-ui-1.12.1.custom.min.js
./hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/webapps/static/jquery/jquery-3.3.1.min.js
./hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/webapps/static/dt-1.10.7/js/jquery.dataTables.min.js
./hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/static/jquery.dataTables.min.js
./hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/static/jquery-3.3.1.min.js

[root@c7301 hadoop-3.2.1-src]# grep -lr '.min.js' *
hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestUpgradeDomainBlockPlacementPolicy.java
hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/hdfs/explorer.html
hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/hdfs/dfshealth.html
hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/journal/index.html
hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/datanode/datanode.html
hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/secondary/status.html
hadoop-hdfs-project/hadoop-hdfs/pom.xml
hadoop-hdfs-project/hadoop-hdfs-rbf/src/main/webapps/router/federationhealth.html
hadoop-tools/hadoop-sls/src/test/resources/simulate.html.template
hadoop-tools/hadoop-sls/src/test/resources/track.html.template
hadoop-tools/hadoop-sls/src/main/html/simulate.html.template
hadoop-tools/hadoop-sls/src/main/html/showSimulationTrace.html
hadoop-tools/hadoop-sls/src/main/html/track.html.template
hadoop-tools/hadoop-sls/pom.xml
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/view/JQueryUI.java
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/pom.xml
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/ember-cli-build.js
LICENSE.txt

[root@c7301 hadoop-3.2.1-src]# grep -lr 'jquery-3.3.1.min.js' *
hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/hdfs/explorer.html
hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/hdfs/dfshealth.html
hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/journal/index.html
hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/datanode/datanode.html
hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/secondary/status.html
hadoop-hdfs-project/hadoop-hdfs/pom.xml
hadoop-hdfs-project/hadoop-hdfs-rbf/src/main/webapps/router/federationhealth.html
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/view/JQueryUI.java
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/pom.xml
LICENSE.txt

If this answer resolves your issue or allows you to move forward, please choose to ACCEPT this solution and close this topic. If you have further dialogue on this topic please comment here or feel free to private message me. If you have new questions related to your Use Case please create separate topic and feel free to tag me in your post.

Thanks,

Steven @ DFHZ

Re: Vulnerability alert on my HDP 3.1.0.0-78 version. (jquery).

DavidGM — Thu, 25 Jun 2020 17:48:40 GMT

Thanks for the information Steven.

I will be visiting the options you provided and see if I can make a progress hoping not to break the things.

Do you know if in a future release of HDP will cover this vulnerability ?

And again, thanks a lot for your inputs.

question Re: Vulnerability alert on my HDP 3.1.0.0-78 version. (jquery). in Support Questions

Vulnerability alert on my HDP 3.1.0.0-78 version. (jquery).

Re: Vulnerability alert on my HDP 3.1.0.0-78 version. (jquery).

Re: Vulnerability alert on my HDP 3.1.0.0-78 version. (jquery).

Re: Vulnerability alert on my HDP 3.1.0.0-78 version. (jquery).

Re: Vulnerability alert on my HDP 3.1.0.0-78 version. (jquery).