External pentest on API Portal show that port 8083 is showing unwanted information for druid
Article ID: 241865
Updated On:
Products
Issue/Introduction
Following an external pentest of the developer portal, the following was found:
- http://portalhost:8083/application.wadl uri is providing too much information to users without encryption. Is it possible to close the 8083 port completely or automatically forward this to an https port? Additionally, can the application.wadl uri be disabled entirely?
- http://portalhost:8083/status/properties displays an outdated log4j version.
Environment
API Portal 4.5, 5.x
Resolution
Port 8083 is the default port for the Druid historical container. If needed, you can unpublish this port by running
docker service update portal_historical --publish-rm 8083
To make this change persistent if the portal is redeployed, do the following:
1. run portal.sh keep (this will save the analytics.yml and docker-compose.yml after the deployment)
2. edit the analytics.yml to remove the port 8083
if you need to make this persistent also after redeploying the portal you need to update the portal.sh and make it use the updated analytics.yml in the following section
if [[ "${AE}" == y ]]; then
tmpfile=$(mktemp)
echo "${ANALYTICS_YML}" > "$tmpfile"
docker stack deploy --with-registry-auth --compose-file "$tmpfile" portal
rm "$tmpfile"
fi
Keep in mind that an upgrade will replace the portal.sh file.
The warning for log4j is because this is a old portal version. Upgrading to the latest version will upgrade druid which will also upgrade the log4j version used by druid.
Feedback
