| Summary: | Cookie name leaks information about the infrastructure software and the internal project names | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Harald Klein <hklein> |
| Component: | Networking | Assignee: | Phil Cameron <pcameron> |
| Networking sub component: | router | QA Contact: | zhaozhanqi <zzhao> |
| Status: | CLOSED ERRATA | Docs Contact: | |
| Severity: | medium | ||
| Priority: | urgent | CC: | bbennett, bleanhar, bmeng, eparis, erich, hklein, javier.ramirez, jokerman, mmccomas, pcameron, pep, sdodson, trankin |
| Version: | 3.2.0 | Keywords: | Reopened |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
Cause: The routing cookie previously contained information such as the application framework and service name.
Consequence: Information about the internal routing and infrastructure components were visible to external users.
Fix: The routing cookie name is now hashed.
Result: Internal details are no longer visible to external users.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-07-05 16:53:18 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Bug Depends On: | |||
| Bug Blocks: | 1267746 | ||
|
Comment 4
Ben Bennett
2016-04-20 14:58:40 UTC
We should also make sure that we aren't leaking the project names in the cookie names. test/integration/router_test.go lines 1038-1043 is a test for this. Already tested this on origin with haproxy images id openshift/origin-haproxy-router e3edbeea1962 this issue had been fixed. since this bug is reported on OSE, for now I'd like to move the status to 'modified'. please move back to 'ON_QA' once this is merged to OSE. thanks. https://github.com/openshift/origin/pull/8615 See last comment: Pull request successfully merged and closed Is there something else that needs to be done? Hi Phil, Yes, the bug has been fixed in latest origin code, and QE has verified that works. But since this bug was reported to OpenShift Enterprise product, we should close the bug only when the code has been merged into the latest OSE build as the workflow. And the productization team will handle the MODIFIED bugs when they create new builds. since the PR 286 has not been merged to the latest OSE puddle. So I will verify this bug once it's merged. @Eric I checked the latest haproxy images with following: brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888/openshift3/ose-haproxy-router v3.2.1.1 77f0eb2358e8 31 hours ago 497.3 MB seems PR 286 still not be merged to this images. Could you help confirm this? checked this issue with haproxy router images id: 8c185ef9a991 the cookie name has been using hash key instead include the following scenario. ( insecure/edge/passthough/reencrypt) Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2016:1383 |