Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Vulnerability alert on my HDP 3.1.0.0-78 version. (jquery).

Solved Go to solution
Highlighted

Vulnerability alert on my HDP 3.1.0.0-78 version. (jquery).

New Contributor

It says a problem with the current version of jquery.

 

URL :  "http://<myip>:8042/static/jquery/jquery-3.3.1.min.js" Installed version : 3.3.1 Fixed version : 3.5.0

Vulnerability link:

" https://www.tenable.com/plugins/nessus/136929"

Finding description: JQuery 1.2 > 3.50 XSS

 

Is there like a workaround to overcome this vulnerability ?  or is necessary to upgrade to a newer version of HDP?

Would be possible to upgrade jquery version only ?

 

Thanks in advance..!

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: Vulnerability alert on my HDP 3.1.0.0-78 version. (jquery).

@DavidGM  You have a few options here:

 

1.  Your yarn UI probably should not just be wide open to vulnerability scans. Consider securing the UI, blocking external access to unauthorized parties.  Check out kerberos, yarn + SSL, LDAP/AD, etc.  If the scanning application cannot see the UI, they cannot see or try to read the jQuery versions.  This is then a pass.   This is a standard practice for internally facing applications versus live web/ip public applications that are vulnerable to automated version exploits.  That said, I am an advocate for passing the scans, not just firewalling them away.

2.  You could build Yarn from source yourself with the jQuery versions that satisfy your scan requirements.  This requires some serious thought and planning as it isn't a simple task and would not be supported through traditional channels.

3.  You can hack into the file system and change the files directly.  Similar to #2, this is going to be unsupported, but sometimes, you just have to do whatever it takes to pass a vulnerability scan.

 

For example, lets look under the hood for where these files exist for #3.  

 

[root@c7301 /]# find . -name 'jquery-3.3.1.min.js'
./usr/hdp/3.1.0.0-78/hadoop-hdfs/webapps/static/jquery-3.3.1.min.js
./hadoop/yarn/local/filecache/10/mapreduce.tar.gz/hadoop/share/hadoop/hdfs/webapps/static/jquery-3.3.1.min.js
[root@c7301 hadoop-hdfs]# grep -lr 'jquery-3.3.1.min.js' *
hadoop-hdfs-3.1.1.3.1.0.0-78-tests.jar
hadoop-hdfs-tests.jar
webapps/datanode/datanode.html
webapps/hdfs/dfshealth.html
webapps/hdfs/explorer.html
webapps/journal/index.html
webapps/router/federationhealth.html
webapps/secondary/status.html

For #2, these are relevant file searches on the source code:

 

[root@c7301 hadoop-3.2.1-src]# find . -name *.min.js | grep jquery
./hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/webapps/static/jquery/jquery-ui-1.12.1.custom.min.js
./hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/webapps/static/jquery/jquery-3.3.1.min.js
./hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/webapps/static/dt-1.10.7/js/jquery.dataTables.min.js
./hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/static/jquery.dataTables.min.js
./hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/static/jquery-3.3.1.min.js
[root@c7301 hadoop-3.2.1-src]# grep -lr '.min.js' *
hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestUpgradeDomainBlockPlacementPolicy.java
hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/hdfs/explorer.html
hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/hdfs/dfshealth.html
hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/journal/index.html
hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/datanode/datanode.html
hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/secondary/status.html
hadoop-hdfs-project/hadoop-hdfs/pom.xml
hadoop-hdfs-project/hadoop-hdfs-rbf/src/main/webapps/router/federationhealth.html
hadoop-tools/hadoop-sls/src/test/resources/simulate.html.template
hadoop-tools/hadoop-sls/src/test/resources/track.html.template
hadoop-tools/hadoop-sls/src/main/html/simulate.html.template
hadoop-tools/hadoop-sls/src/main/html/showSimulationTrace.html
hadoop-tools/hadoop-sls/src/main/html/track.html.template
hadoop-tools/hadoop-sls/pom.xml
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/view/JQueryUI.java
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/pom.xml
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/ember-cli-build.js
LICENSE.txt
[root@c7301 hadoop-3.2.1-src]# grep -lr 'jquery-3.3.1.min.js' *
hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/hdfs/explorer.html
hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/hdfs/dfshealth.html
hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/journal/index.html
hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/datanode/datanode.html
hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/secondary/status.html
hadoop-hdfs-project/hadoop-hdfs/pom.xml
hadoop-hdfs-project/hadoop-hdfs-rbf/src/main/webapps/router/federationhealth.html
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/view/JQueryUI.java
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/pom.xml
LICENSE.txt

 

 

If this answer resolves your issue or allows you to move forward, please choose to ACCEPT this solution and close this topic. If you have further dialogue on this topic please comment here or feel free to private message me. If you have new questions related to your Use Case please create separate topic and feel free to tag me in your post.  

 

Thanks,


Steven @ DFHZ

 


 


If this answer resolves your issue or allows you to move forward, please choose to ACCEPT this solution and close this topic. If you have further dialogue on this topic please comment here or feel free to private message me. If you have new questions related to your Use Case please create separate topic and feel free to tag me in your post.  


 


Thanks,



Steven

View solution in original post

4 REPLIES 4

Re: Vulnerability alert on my HDP 3.1.0.0-78 version. (jquery).

New Contributor

This is the yarn parameter that holds the port 8042:

yarn.nodemanager.webapp.address  

 

 

Highlighted

Re: Vulnerability alert on my HDP 3.1.0.0-78 version. (jquery).

New Contributor

Looks like the vulnerability is still present on the latest release of HDP  v3.1.5.

That means that, so far, there is not way to solve it.

 

Hopefully,  downloading the new library from jquery.com  would help,  but still  instructions about what, how and where do the modifications still will be required by Cloudera engineers.

Highlighted

Re: Vulnerability alert on my HDP 3.1.0.0-78 version. (jquery).

@DavidGM  You have a few options here:

 

1.  Your yarn UI probably should not just be wide open to vulnerability scans. Consider securing the UI, blocking external access to unauthorized parties.  Check out kerberos, yarn + SSL, LDAP/AD, etc.  If the scanning application cannot see the UI, they cannot see or try to read the jQuery versions.  This is then a pass.   This is a standard practice for internally facing applications versus live web/ip public applications that are vulnerable to automated version exploits.  That said, I am an advocate for passing the scans, not just firewalling them away.

2.  You could build Yarn from source yourself with the jQuery versions that satisfy your scan requirements.  This requires some serious thought and planning as it isn't a simple task and would not be supported through traditional channels.

3.  You can hack into the file system and change the files directly.  Similar to #2, this is going to be unsupported, but sometimes, you just have to do whatever it takes to pass a vulnerability scan.

 

For example, lets look under the hood for where these files exist for #3.  

 

[root@c7301 /]# find . -name 'jquery-3.3.1.min.js'
./usr/hdp/3.1.0.0-78/hadoop-hdfs/webapps/static/jquery-3.3.1.min.js
./hadoop/yarn/local/filecache/10/mapreduce.tar.gz/hadoop/share/hadoop/hdfs/webapps/static/jquery-3.3.1.min.js
[root@c7301 hadoop-hdfs]# grep -lr 'jquery-3.3.1.min.js' *
hadoop-hdfs-3.1.1.3.1.0.0-78-tests.jar
hadoop-hdfs-tests.jar
webapps/datanode/datanode.html
webapps/hdfs/dfshealth.html
webapps/hdfs/explorer.html
webapps/journal/index.html
webapps/router/federationhealth.html
webapps/secondary/status.html

For #2, these are relevant file searches on the source code:

 

[root@c7301 hadoop-3.2.1-src]# find . -name *.min.js | grep jquery
./hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/webapps/static/jquery/jquery-ui-1.12.1.custom.min.js
./hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/webapps/static/jquery/jquery-3.3.1.min.js
./hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/webapps/static/dt-1.10.7/js/jquery.dataTables.min.js
./hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/static/jquery.dataTables.min.js
./hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/static/jquery-3.3.1.min.js
[root@c7301 hadoop-3.2.1-src]# grep -lr '.min.js' *
hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestUpgradeDomainBlockPlacementPolicy.java
hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/hdfs/explorer.html
hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/hdfs/dfshealth.html
hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/journal/index.html
hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/datanode/datanode.html
hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/secondary/status.html
hadoop-hdfs-project/hadoop-hdfs/pom.xml
hadoop-hdfs-project/hadoop-hdfs-rbf/src/main/webapps/router/federationhealth.html
hadoop-tools/hadoop-sls/src/test/resources/simulate.html.template
hadoop-tools/hadoop-sls/src/test/resources/track.html.template
hadoop-tools/hadoop-sls/src/main/html/simulate.html.template
hadoop-tools/hadoop-sls/src/main/html/showSimulationTrace.html
hadoop-tools/hadoop-sls/src/main/html/track.html.template
hadoop-tools/hadoop-sls/pom.xml
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/view/JQueryUI.java
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/pom.xml
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/ember-cli-build.js
LICENSE.txt
[root@c7301 hadoop-3.2.1-src]# grep -lr 'jquery-3.3.1.min.js' *
hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/hdfs/explorer.html
hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/hdfs/dfshealth.html
hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/journal/index.html
hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/datanode/datanode.html
hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/secondary/status.html
hadoop-hdfs-project/hadoop-hdfs/pom.xml
hadoop-hdfs-project/hadoop-hdfs-rbf/src/main/webapps/router/federationhealth.html
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/view/JQueryUI.java
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/pom.xml
LICENSE.txt

 

 

If this answer resolves your issue or allows you to move forward, please choose to ACCEPT this solution and close this topic. If you have further dialogue on this topic please comment here or feel free to private message me. If you have new questions related to your Use Case please create separate topic and feel free to tag me in your post.  

 

Thanks,


Steven @ DFHZ

 


 


If this answer resolves your issue or allows you to move forward, please choose to ACCEPT this solution and close this topic. If you have further dialogue on this topic please comment here or feel free to private message me. If you have new questions related to your Use Case please create separate topic and feel free to tag me in your post.  


 


Thanks,



Steven

View solution in original post

Highlighted

Re: Vulnerability alert on my HDP 3.1.0.0-78 version. (jquery).

New Contributor

Thanks for the information Steven.

I will be visiting the options you provided and see if I can make a progress hoping not to break the things.

Do you know if in a future release of HDP will cover this vulnerability ?

And again,  thanks a lot for your inputs.

 

 

Don't have an account?
Coming from Hortonworks? Activate your account here