spark-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "t oo (JIRA)" <j...@apache.org>
Subject [jira] [Created] (SPARK-24510) Spark WebUI filters use Basic Authentication [security]
Date Sun, 10 Jun 2018 23:25:00 GMT
t oo created SPARK-24510:
----------------------------

             Summary: Spark WebUI filters use Basic Authentication [security]
                 Key: SPARK-24510
                 URL: https://issues.apache.org/jira/browse/SPARK-24510
             Project: Spark
          Issue Type: Improvement
          Components: Web UI
    Affects Versions: 2.3.0
            Reporter: t oo


*Risk/Issue summary finding*
{code:java}
Basic Authentication in Use{code}
*Risk/Issue summary description/detail*
{code:java}
The only authentication method used by Spark web portals is basic HTTP authentication. In
basic HTTP authentication, passwords are encoded using the Base64 encoding scheme, before
being transmitted over the network. Note that the web services communications were over HTTPS
and as such the communications between supplicant and service would be encrypted, reducing
the risk of this issue.{code}
*Business impact / attack scenario*
{code:java}
An attacker given a reasonable time frame may be able to successfully perform a brute-force
attack on the credentials, and successfully authenticate to the web service. The time frame
for such an attack would also be significantly reduced if common username and passwords are
used, such as "Administrator" and "password". Additionally, basic authentication credentials
are sent with every request and may be cached by the web browser. {code}
*Recommendation*
{code:java}
By itself, basic authentication is not considered secure. Other, more secure, authentication
methods are offered by web servers and application frameworks and should be considered.{code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org


Mime
View raw message