Hello,

 

We are using Apache Flink 1.7.2 version. During our security scans following issues are reported by our scan tool. Please let us know your comments on these issues.

 

[1] 150085 Slow HTTP POST vulnerability

Severity Potential Vulnerability - Level 3

Group Information Disclosure

 

Threat

The web application is possibly vulnerable to a "slow HTTP POST" Denial of Service (DoS) attack. This is an application-level DoS that consumes server

resources by maintaining open connections for an extended period of time by slowly sending traffic to the server. If the server maintains too many connections

open at once, then it may not be able to respond to new, legitimate connections.

 

#1 Request

Payload N/A

Request POST https://<ip>:<port>/

#1 Host: <ip>:<port>

#3 Accept: */*

#4 Content-Type: application/x-www-form-urlencoded

 

#1 Response

Vulnerable to slow HTTP POST attack

Connection with partial POST body remained open for: 312932 milliseconds

 

[2] 150124 Clickjacking - Framable Page (10)

Severity Confirmed Vulnerability - Level 3

Group Information Disclosure

CVSS Base 6.4 CVSS Temporal5.8

 

Threat

The web page can be framed. This means that clickjacking attacks against users are possible.

 

#1 Request

Payload N/A

Request GET https://<ip>:<port>/

#1 Host: <ip>:<port>

#3 Accept: */*

 

#1 Response

The URI was framed.

 

Below url’s have also reported the same issues and response was same.

 

Request GET https://<ip>:<port>/partials/jobs/running-jobs.html

Request GET https://<ip>:<port>/partials/submit.html

Request GET https://<ip>:<port>/partials/jobmanager/stdout.html

Request GET https://<ip>:<port>/partials/jobs/completed-jobs.html

Request GET https://<ip>:<port>/partials/taskmanager/index.html

Request GET https://<ip>:<port>/partials/jobmanager/log.html

Request GET https://<ip>:<port>/partials/jobmanager/index.html

Request GET https://<ip.:<port>/partials/overview.html

Request GET https://<ip>:<port>/partials/jobmanager/config.html

 

[3] 150162 Use of JavaScript Library with Known Vulnerability (4)

 

Threat

The web application is using a JavaScript library that is known to contain at least one vulnerability.

 

#1 Request

Payload -

Request GET https://<ip>:<port>/

#1 Host: <ip>:<port>

#3 Accept: */*

 

#1 Response

Vulnerable javascript library: jQuery

version: 2.2.0

Details:

CVE-2015-9251: jQuery versions on or above 1.4.0 and below 1.12.0 (version 1.12.3 and above but below 3.0.0-beta1 as well) are vulnerable to XSS via 3rd party text/javascript responses(3rd party

CORS request may execute). (https://github.com/jquery/jquery/issues/2432).

Solution: jQuery version 3.0.0 has been released to address the issue (http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/). Please refer to vendor documentation (https://blog.jquery.com/)

for the latest security updates.

 

Found on the following pages (only first 10 pages are reported):

https://<ip>:<port>/

https://<ip>:<port>/#/completed-jobs

https://<ip>:<port>/#/jobmanager/config

https://<ip>:<port>/#/overview

https://<ip>:<port>/#/running-jobs

https://<ip>:<port>/#/submit

https://<ip>:<port>/#/taskmanagers

https://<ip>:<port>/#/jobmanager/log

https://<ip>:<port>/#/jobmanager/stdout

https://<ip>:<port>/#/taskmanager/100474b27dcd8eeb9f3ff38c952977c9/log

 

 

#1 Response

Vulnerable javascript library: Angular

version: 1.4.8

Details:

In angular versions below 1.6.5 both Firefox and Safari are vulnerable to XSS in $sanitize if an inert document created via `document.implementation.createHTMLDocument()` is used. Angular version

1.6.5 checks for these vulnerabilities and then use a DOMParser or XHR strategy if needed. Please refer to vendor documentation (https://github.com/angular/angular.js/commit/

8f31f1ff43b673a24f84422d5c13d6312b2c4d94) for latest security updates.

Found on the following pages (only first 10 pages are reported):

https://<ip>:<port>/

https://<ip>:<port>/#/completed-jobs

https://<ip>:<port>/#/jobmanager/config

https://<ip>:<port>/#/overview

https://<ip>:<port>/#/running-jobs

https://<ip>:<port>/#/submit

https://<ip>:<port>/#/taskmanagers

https://<ip>:<port>/#/jobmanager/log

https://<ip>:<port>/#/jobmanager/stdout

https://<ip>:<port>/#/taskmanager/100474b27dcd8eeb9f3ff38c952977c9/log

 

#1 Response

Vulnerable javascript library: Bootstrap

version: 3.3.6

Details:

The data-target attribute in bootstrap versions below 3.4.0 is vulnerable to Cross-Site Scripting(XSS) attacks. Please refer to vendor documentation (https://github.com/twbs/bootstrap/pull/23687, https://

github.com/twbs/bootstrap/issues/20184) for the latest security updates.

----------------------------------------------

CVE-2019-8331: In bootstrap versions before 3.4.1, data-template, data-content and data-title properties of tooltip or popover are vulnerable to Cross-Site Scripting(XSS) attacks. Please refer to vendor

documentation (https://github.com/twbs/bootstrap/issues/28236) for latest security updates.

Found on the following pages (only first 10 pages are reported):

https://<ip>:<port>/

https://<ip>:<port>/#/completed-jobs

https://<ip>:<port>/#/jobmanager/config

https://<ip>:<port>/#/overview

https://<ip>:<port>/#/running-jobs

https://<ip>:<port>/#/submit

https://<ip>:<port>/#/taskmanagers

https://<ip>:<port>/#/jobmanager/log

https://<ip>:<port>/#/jobmanager/stdout

https://<ip>:<port>/#/taskmanager/100474b27dcd8eeb9f3ff38c952977c9/log

 

Vulnerable javascript library: moment

version: 2.10.6

Details:

CVE-2016-4055: moment versions below 2.11.2 are vulnerable to regular expression denial of service when user input is passed unchecked into moment.duration() blocking the event loop for a period

of time.(https://github.com/moment/moment/issues/2936).

Solution: moment version 2.11.2 has been released to address the issue. Please refer to vendor documentation (https://github.com/moment/moment/blob/develop/CHANGELOG.md, https://nvd.nist.gov/

vuln/detail/CVE-2016-4055 ) for latest security updates.

Found on the following pages (only first 10 pages are reported):

https://<ip>:<port>/

https://<ip>:<port>/#/completed-jobs

https://<ip>:<port>/#/jobmanager/config

https://<ip>:<port>/#/overview

https://<ip>:<port>/#/running-jobs

https://<ip>:<port>/#/submit

https://<ip>:<port>/#/taskmanagers

https://<ip>:<port>/#/jobmanager/log

https://<ip>:<port>/#/jobmanager/stdout

https://<ip>:<port>/#/taskmanager/100474b27dcd8eeb9f3ff38c952977c9/log

 

 

[4] 150081 X-Frame-Options header is not set (10)

Severity Potential Vulnerability - Level 1

Group Information Disclosure

CVSS Base 5 CVSS Temporal4.1

 

Threat

The X-Frame-Options header is not set in the HTTP response, which may lead to a possible framing of the page. An attacker can trick users into clicking on a

malicious link by framing the original page and showing a layer on top of it with legitimate-looking buttons.

 

#1 Request

Payload N/A

Request GET https://<ip>:<port>/

#1 Host: <ip>:<port>

#3 Accept: */*

 

#1 Response

The response for this request either did not have an "X-FRAME-OPTIONS" header present or was not set to DENY or SAMEORIGIN

 

Request GET https://<ip>:<port>/partials/jobs/running-jobs.html

Request GET https://<ip>:<port>/partials/submit.html

Request GET https://<ip>:<port>/partials/jobmanager/stdout.html

Request GET https://<ip>:<port>/partials/jobs/completed-jobs.html

Request GET https://<ip>:<port>/partials/taskmanager/index.html

Request GET https://<ip>:<port>/partials/jobmanager/log.html

Request GET https://<ip>:<port>/partials/jobmanager/index.html

Request GET https://<ip>:<port>/partials/overview.html

Request GET https://<ip>:<port>/partials/jobmanager/config.html

 

 

[5] 150202 Missing header: X-Content-Type-Options

Severity Information Gathered - Level 2

Group Information Gathered

 

Threat

The X-Content-Type-Options response header is not present. WAS reports missing X-Content-Type-Options header on each crawled link with all types of static

and dynamic response. The scanner performs the check on 4xx and 5xx responses too. It's possible to see a directory link reported for QID as well.

 

X-Content-Type-Options: Header missing

Response headers on link: GET https://<ip>:<port>/ response code: 200

Content-Type: text/html

Date: Fri, 05 Jul 2019 01:22:22 GMT

Expires: Fri, 05 Jul 2019 01:27:22 GMT

Cache-Control: private, max-age=300

Last-Modified: Mon, 01 Jul 2019 09:45:33 GMT

Connection: keep-alive

Content-Length: 3306

Header missing on the following link(s):

(Only first 50 such pages are listed)

GET https://<ip>:<port>/ response code: 200

GET https://<ip>:<port>/images/safari-pinned-tab.svg response code: 200

GET https://<ip>:<port>/js/index.js response code: 200

GET https://<ip>:<port>/images/favicon-32x32.png response code: 200

GET https://<ip>:<port>/images/apple-touch-icon.png response code: 200

GET https://<ip>:<port>/images/favicon.ico response code: 200

GET https://<ip>:<port>/js/vendor.js response code: 200

GET https://<ip>:<port>/css/vendor.css response code: 200

GET https://<ip>:<port>/css/index.css response code: 200

GET https://<ip>:<port>/images/favicon-16x16.png response code: 200

GET https://<ip>:<port>/images/manifest.json response code: 200

GET https://<ip>:<port>/config response code: 200

GET https://<ip>:<port>/fonts/fontawesome-webfont.ttf?v=4.5.0 response code: 200

GET https://<ip>:<port>/fonts/fontawesome-webfont.woff2?v=4.5.0 response code: 200

GET https://<ip>:<port>/fonts/fontawesome-webfont.woff?v=4.5.0 response code: 200

GET https://<ip>:<port>/jobs/overview response code: 200

GET https://<ip>:<port>/overview response code: 200

GET https://<ip>:<port>/partials/overview.html response code: 200

GET https://<ip>:<port>/favicon.ico response code: 404

GET https://<ip>:<port>/partials/jobs/completed-jobs.html response code: 200

GET https://<ip>:<port>/jobmanager/config response code: 200

GET https://<ip>:<port>/partials/jobmanager/config.html response code: 200

GET https://<ip>:<port>/partials/jobmanager/index.html response code: 200

GET https://<ip>:<port>/partials/jobs/running-jobs.html response code: 200

GET https://<ip>:<port>/jars/ response code: 200

GET https://<ip>:<port>/partials/submit.html response code: 200

GET https://<ip>:<port>/partials/taskmanager/index.html response code: 200

GET https://<ip>:<port>/taskmanagers response code: 200

GET https://<ip>:<port>/jobmanager/log response code: 200

GET https://<ip>:<port>/partials/jobmanager/log.html response code: 200

GET https://<ip>:<port>/jobmanager/stdout response code: 200

GET https://<ip>:<port>/partials/jobmanager/stdout.html response code: 200

GET https://<ip>:<port>/partials/%257B%257B'%23/jobs/'%20+%20jid%7D%7D response code: 404

GET https://<ip>:<port>/partials/taskmanager/taskmanager.html response code: 200

GET https://<ip>:<port>/partials/taskmanager/taskmanager.metrics.html response code: 200

GET https://<ip>:<port>/taskmanagers/100474b27dcd8eeb9f3ff38c952977c9 response code: 200

GET https://<ip>:<port>/partials/jobmanager/jobmanager/log response code: 404

GET https://<ip>:<port>/partials/jobmanager/jobmanager/stdout response code: 404

GET https://<ip>:<port>/taskmanagers/100474b27dcd8eeb9f3ff38c952977c9/log response code: 500

GET https://<ip>:<port>/partials/taskmanager/taskmanager.log.html response code: 200

GET https://<ip>:<port>/taskmanagers/100474b27dcd8eeb9f3ff38c952977c9/stdout response code: 500

GET https://<ip>:<port>/partials/taskmanager/taskmanager.stdout.html response code: 200

GET https://<ip>:<port>/partials/taskmanager/taskmanagers/%7B%7Btaskmanagerid%7D%7D/log response code: 404

GET https://<ip>:<port>/partials/taskmanager/taskmanagers/%257B%257Btaskmanagerid%257D%257D/log response code: 404

GET https://<ip>:<port>/partials/taskmanager/taskmanagers/%7B%7Btaskmanagerid%7D%7D/stdout response code: 404

GET https://<ip>:<port>/partials/taskmanager/taskmanagers/%257B%257Btaskmanagerid%257D%257D/stdout response code: 404

 

 

[6] 150204 Missing header: X-XSS-Protection

Severity Information Gathered - Level 1

Group Information Gathered

 

Threat

The X-XSS-Protection response header is not present.

 

X-Xss-Protection: Header missing

Response headers on link: GET https://<ip>:<port>/ response code: 200

Content-Type: text/html

Date: Fri, 05 Jul 2019 01:22:22 GMT

Expires: Fri, 05 Jul 2019 01:27:22 GMT

Cache-Control: private, max-age=300

Last-Modified: Mon, 01 Jul 2019 09:45:33 GMT

Connection: keep-alive

Content-Length: 3306

Header missing on the following link(s):

(Only first 50 such pages are listed)

GET https://<ip>:<port>/ response code: 200

GET https://<ip>:<port>/partials/overview.html response code: 200

GET https://<ip>:<port>/partials/jobs/completed-jobs.html response code: 200

GET https://<ip>:<port>/partials/jobmanager/config.html response code: 200

GET https://<ip>:<port>/partials/jobmanager/index.html response code: 200

GET https://<ip>:<port>/partials/jobs/running-jobs.html response code: 200

GET https://<ip>:<port>/partials/submit.html response code: 200

GET https://<ip>:<port>/partials/taskmanager/index.html response code: 200

GET https://<ip>:<port>/jobmanager/log response code: 200

GET https://<ip>:<port>/partials/jobmanager/log.html response code: 200

GET https://<ip>:<port>/jobmanager/stdout response code: 200

 

 

[7] 150135 HTTP Strict Transport Security (HSTS) header missing/misconfigured.

Severity Information Gathered - Level 1

Group Information Gathered

 

Threat

HTTP Strict Transport Security (HSTS) header found to be missing or misconfigured. HSTS header dictates to a conforming browser that the current and all

subsequent connections (for a configurable amount of time) to the subject website should only be performed over a secure transport layer. Additionally, users are

not permitted to bypass SSL/TLS certificate errors; preventing browser click-throughs in the event of expired or otherwise untrusted certificates.

 

Strict Transport Security header missing for

https://<ip>:<port>/

 

 

Regards,

Suchithra