External pentest on API Portal show that port 8083 is showing unwanted information

book

Article ID: 241865

calendar_today

Updated On:

Products

CA API Developer Portal

Issue/Introduction

Following an external pentest of the developer portal we found that :

  1. http://portalhost:8083/application.wadl uri is providing too much information to users without encryption.  Is it possible to close the 8083 port completely or automatically forward this to an https port? Additionally can we disable the application.wadl uri entirely?
  2. http://portalhost:8083/status/properties displays an outdated log4j version. 

Environment

Release : 4.5

Component :

Resolution

Port 8083  is the default port for the  Druid historical container if needed you can unpublish this port by running

      docker service update  portal_historical --publish-rm 8083

To make this change persistent if the portal is redeployed , do the following

run  portal.sh keep this will save the analytics.yml and docker-compose.yml after the deployment

edit the analytics.yml to remove the port 8083 

if you need to make this persistent also after redeploying the portal you need to update the portal.sh and make it use the updated analytics.yml in the following section 

if [[ "${AE}" == y ]]; then
 tmpfile=$(mktemp)
 echo "${ANALYTICS_YML}" > "$tmpfile"
 docker stack deploy --with-registry-auth --compose-file "$tmpfile" portal
 rm "$tmpfile"
fi

Keep in mind that a upgrade will replace the portal.sh file .

The warning for log4j is because this is a old portal version upgrading to the latest version will upgrade druid which will also upgrade the log4j version used by druid.