Bug 1318796

Summary: HAproxy sets a cookie that contains the internal IP address of a pod
Product: OKD Reporter: Sten Turpin <sten>
Component: RoutingAssignee: Phil Cameron <pcameron>
Status: CLOSED CURRENTRELEASE QA Contact: zhaozhanqi <zzhao>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.xCC: agrimm, aos-bugs, bbennett, bperkins, erich, erjones, pcameron
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: atomic-openshift-3.2.0.20 Doc Type: Bug Fix
Doc Text:
Cause: missing code Consequence: IP is in clear text Fix: obscure target IP address in cookie hashing the ip addressa along with other route information Result: IP is obsured.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-07-08 13:16:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1303130, 1322718    

Description Sten Turpin 2016-03-17 20:40:07 UTC 
Description of problem: During security analysis, a customer found that a cookie was being set with the name of "OPENSHIFT_<namespace>_SERVERID", containing the internal IP address of the pod.

Version-Release number of selected component (if applicable): registry.access.redhat.com/openshift3/ose-haproxy-router        v3.1.1.6


How reproducible: always


Steps to Reproduce:
1. browse to an app served by the cluster
2. cookie is set

Actual results:
cookie contains the pod IP address

Expected results:
Cookie should not contain identifiable information. Per the customer: "The weakness provides a potential attacker with information on the internal network the site is residing on. Information such as IP schemes allow an attacker to develop a more comprehensive attack plan to pivot on the network or evade detection."

Additional info:
Comment 2 Ben Bennett 2016-04-04 18:36:51 UTC 
https://github.com/openshift/origin/pull/8334
Comment 3 Phil Cameron 2016-04-08 15:10:23 UTC 
Test added to 
https://github.com/openshift/origin/pull/8334
Comment 4 Phil Cameron 2016-04-12 19:03:54 UTC 
https://github.com/openshift/origin/pull/8334 
Fix is Merged in openshift/origin.
Comment 5 Eric Rich 2016-04-18 13:16:01 UTC 
This does not look to be merged. Can you confirm that it is merged?
Comment 6 Phil Cameron 2016-04-18 13:24:43 UTC 
Eric Rich, As far as I know Eric Paris merged the fix. What information do you need?
Comment 7 Eric Rich 2016-04-18 13:42:07 UTC 
(In reply to Phil Cameron from comment #6)
> Eric Rich, As far as I know Eric Paris merged the fix. What information do
> you need?

PR up stream is not merged, but open. This is what I am referring to. https://github.com/openshift/origin/pull/8334
Comment 8 Ben Bennett 2016-04-20 15:24:29 UTC 
PR has merged.
Comment 9 zhaozhanqi 2016-04-21 08:07:06 UTC 
rebuild router image using the latest code

and check the cookies values have changed to hash

verified this bug.