Support Questions

Find answers, ask questions, and share your expertise

Vulnerability alert on my HDP 3.1.0.0-78 version. (jquery).

avatar
Explorer

It says a problem with the current version of jquery.

 

URL :  "http://<myip>:8042/static/jquery/jquery-3.3.1.min.js" Installed version : 3.3.1 Fixed version : 3.5.0

Vulnerability link:

" https://www.tenable.com/plugins/nessus/136929"

Finding description: JQuery 1.2 > 3.50 XSS

 

Is there like a workaround to overcome this vulnerability ?  or is necessary to upgrade to a newer version of HDP?

Would be possible to upgrade jquery version only ?

 

Thanks in advance..!

 

1 ACCEPTED SOLUTION

avatar
Super Guru

@DavidGM  You have a few options here:

 

1.  Your yarn UI probably should not just be wide open to vulnerability scans. Consider securing the UI, blocking external access to unauthorized parties.  Check out kerberos, yarn + SSL, LDAP/AD, etc.  If the scanning application cannot see the UI, they cannot see or try to read the jQuery versions.  This is then a pass.   This is a standard practice for internally facing applications versus live web/ip public applications that are vulnerable to automated version exploits.  That said, I am an advocate for passing the scans, not just firewalling them away.

2.  You could build Yarn from source yourself with the jQuery versions that satisfy your scan requirements.  This requires some serious thought and planning as it isn't a simple task and would not be supported through traditional channels.

3.  You can hack into the file system and change the files directly.  Similar to #2, this is going to be unsupported, but sometimes, you just have to do whatever it takes to pass a vulnerability scan.

 

For example, lets look under the hood for where these files exist for #3.  

 

[root@c7301 /]# find . -name 'jquery-3.3.1.min.js'
./usr/hdp/3.1.0.0-78/hadoop-hdfs/webapps/static/jquery-3.3.1.min.js
./hadoop/yarn/local/filecache/10/mapreduce.tar.gz/hadoop/share/hadoop/hdfs/webapps/static/jquery-3.3.1.min.js
[root@c7301 hadoop-hdfs]# grep -lr 'jquery-3.3.1.min.js' *
hadoop-hdfs-3.1.1.3.1.0.0-78-tests.jar
hadoop-hdfs-tests.jar
webapps/datanode/datanode.html
webapps/hdfs/dfshealth.html
webapps/hdfs/explorer.html
webapps/journal/index.html
webapps/router/federationhealth.html
webapps/secondary/status.html

For #2, these are relevant file searches on the source code:

 

[root@c7301 hadoop-3.2.1-src]# find . -name *.min.js | grep jquery
./hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/webapps/static/jquery/jquery-ui-1.12.1.custom.min.js
./hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/webapps/static/jquery/jquery-3.3.1.min.js
./hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/webapps/static/dt-1.10.7/js/jquery.dataTables.min.js
./hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/static/jquery.dataTables.min.js
./hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/static/jquery-3.3.1.min.js
[root@c7301 hadoop-3.2.1-src]# grep -lr '.min.js' *
hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestUpgradeDomainBlockPlacementPolicy.java
hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/hdfs/explorer.html
hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/hdfs/dfshealth.html
hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/journal/index.html
hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/datanode/datanode.html
hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/secondary/status.html
hadoop-hdfs-project/hadoop-hdfs/pom.xml
hadoop-hdfs-project/hadoop-hdfs-rbf/src/main/webapps/router/federationhealth.html
hadoop-tools/hadoop-sls/src/test/resources/simulate.html.template
hadoop-tools/hadoop-sls/src/test/resources/track.html.template
hadoop-tools/hadoop-sls/src/main/html/simulate.html.template
hadoop-tools/hadoop-sls/src/main/html/showSimulationTrace.html
hadoop-tools/hadoop-sls/src/main/html/track.html.template
hadoop-tools/hadoop-sls/pom.xml
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/view/JQueryUI.java
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/pom.xml
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/ember-cli-build.js
LICENSE.txt
[root@c7301 hadoop-3.2.1-src]# grep -lr 'jquery-3.3.1.min.js' *
hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/hdfs/explorer.html
hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/hdfs/dfshealth.html
hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/journal/index.html
hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/datanode/datanode.html
hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/secondary/status.html
hadoop-hdfs-project/hadoop-hdfs/pom.xml
hadoop-hdfs-project/hadoop-hdfs-rbf/src/main/webapps/router/federationhealth.html
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/view/JQueryUI.java
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/pom.xml
LICENSE.txt

 

 

If this answer resolves your issue or allows you to move forward, please choose to ACCEPT this solution and close this topic. If you have further dialogue on this topic please comment here or feel free to private message me. If you have new questions related to your Use Case please create separate topic and feel free to tag me in your post.  

 

Thanks,


Steven @ DFHZ

View solution in original post

4 REPLIES 4

avatar
Explorer

This is the yarn parameter that holds the port 8042:

yarn.nodemanager.webapp.address  

 

 

avatar
Explorer

Looks like the vulnerability is still present on the latest release of HDP  v3.1.5.

That means that, so far, there is not way to solve it.

 

Hopefully,  downloading the new library from jquery.com  would help,  but still  instructions about what, how and where do the modifications still will be required by Cloudera engineers.

avatar
Super Guru

@DavidGM  You have a few options here:

 

1.  Your yarn UI probably should not just be wide open to vulnerability scans. Consider securing the UI, blocking external access to unauthorized parties.  Check out kerberos, yarn + SSL, LDAP/AD, etc.  If the scanning application cannot see the UI, they cannot see or try to read the jQuery versions.  This is then a pass.   This is a standard practice for internally facing applications versus live web/ip public applications that are vulnerable to automated version exploits.  That said, I am an advocate for passing the scans, not just firewalling them away.

2.  You could build Yarn from source yourself with the jQuery versions that satisfy your scan requirements.  This requires some serious thought and planning as it isn't a simple task and would not be supported through traditional channels.

3.  You can hack into the file system and change the files directly.  Similar to #2, this is going to be unsupported, but sometimes, you just have to do whatever it takes to pass a vulnerability scan.

 

For example, lets look under the hood for where these files exist for #3.  

 

[root@c7301 /]# find . -name 'jquery-3.3.1.min.js'
./usr/hdp/3.1.0.0-78/hadoop-hdfs/webapps/static/jquery-3.3.1.min.js
./hadoop/yarn/local/filecache/10/mapreduce.tar.gz/hadoop/share/hadoop/hdfs/webapps/static/jquery-3.3.1.min.js
[root@c7301 hadoop-hdfs]# grep -lr 'jquery-3.3.1.min.js' *
hadoop-hdfs-3.1.1.3.1.0.0-78-tests.jar
hadoop-hdfs-tests.jar
webapps/datanode/datanode.html
webapps/hdfs/dfshealth.html
webapps/hdfs/explorer.html
webapps/journal/index.html
webapps/router/federationhealth.html
webapps/secondary/status.html

For #2, these are relevant file searches on the source code:

 

[root@c7301 hadoop-3.2.1-src]# find . -name *.min.js | grep jquery
./hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/webapps/static/jquery/jquery-ui-1.12.1.custom.min.js
./hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/webapps/static/jquery/jquery-3.3.1.min.js
./hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/webapps/static/dt-1.10.7/js/jquery.dataTables.min.js
./hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/static/jquery.dataTables.min.js
./hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/static/jquery-3.3.1.min.js
[root@c7301 hadoop-3.2.1-src]# grep -lr '.min.js' *
hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/namenode/TestUpgradeDomainBlockPlacementPolicy.java
hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/hdfs/explorer.html
hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/hdfs/dfshealth.html
hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/journal/index.html
hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/datanode/datanode.html
hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/secondary/status.html
hadoop-hdfs-project/hadoop-hdfs/pom.xml
hadoop-hdfs-project/hadoop-hdfs-rbf/src/main/webapps/router/federationhealth.html
hadoop-tools/hadoop-sls/src/test/resources/simulate.html.template
hadoop-tools/hadoop-sls/src/test/resources/track.html.template
hadoop-tools/hadoop-sls/src/main/html/simulate.html.template
hadoop-tools/hadoop-sls/src/main/html/showSimulationTrace.html
hadoop-tools/hadoop-sls/src/main/html/track.html.template
hadoop-tools/hadoop-sls/pom.xml
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/view/JQueryUI.java
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/pom.xml
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/ember-cli-build.js
LICENSE.txt
[root@c7301 hadoop-3.2.1-src]# grep -lr 'jquery-3.3.1.min.js' *
hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/hdfs/explorer.html
hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/hdfs/dfshealth.html
hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/journal/index.html
hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/datanode/datanode.html
hadoop-hdfs-project/hadoop-hdfs/src/main/webapps/secondary/status.html
hadoop-hdfs-project/hadoop-hdfs/pom.xml
hadoop-hdfs-project/hadoop-hdfs-rbf/src/main/webapps/router/federationhealth.html
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/view/JQueryUI.java
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/pom.xml
LICENSE.txt

 

 

If this answer resolves your issue or allows you to move forward, please choose to ACCEPT this solution and close this topic. If you have further dialogue on this topic please comment here or feel free to private message me. If you have new questions related to your Use Case please create separate topic and feel free to tag me in your post.  

 

Thanks,


Steven @ DFHZ

avatar
Explorer

Thanks for the information Steven.

I will be visiting the options you provided and see if I can make a progress hoping not to break the things.

Do you know if in a future release of HDP will cover this vulnerability ?

And again,  thanks a lot for your inputs.