Bug 1330233 (CVE-2016-3703)

Summary: CVE-2016-3703 OpenShift Enterprise 3: Untrusted content loaded via the API proxy can access web console credentials on the same domain
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bleanhar, ccoleman, dmcphers, jialiu, jkeck, jliggitt, jokerman, kseifried, lmeyer, mmccomas, sdodson, security-response-team, wjiang, wsun
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
An origin validation vulnerability was found in OpenShift Enterprise. An attacker could potentially access API credentials stored in a web browser's localStorage if anonymous access was granted to a service/proxy or pod/proxy API for a specific pod, and an authorized access_token was provided in the query parameter.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-20 00:21:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1329720, 1331564    
Bug Blocks: 1330234, 1335624    

Description Kurt Seifried 2016-04-25 17:06:17 UTC 
Jordan Liggitt of Red Hat reports:

Malicious content can be loaded via the API proxy via a GET request if:
1. an authorized access_token is provided as a query parameter
2. anonymous access is granted to the service/proxy or pod/proxy API for the 
pod serving the content

That content has same-domain access to the browser localStorage if the web 
console and API server are hosted on the same domain. This gives the malicious 
content access to the logged in user's API credentials.
Comment 1 Kurt Seifried 2016-04-25 17:06:23 UTC 
Acknowledgments:

Name: Jordan Liggitt (Red Hat)
Comment 4 errata-xmlrpc 2016-05-19 20:13:13 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Enterprise 3.2

Via RHSA-2016:1094 https://access.redhat.com/errata/RHSA-2016:1094
Comment 5 errata-xmlrpc 2016-05-19 20:38:20 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Enterprise 3.1

Via RHSA-2016:1095 https://access.redhat.com/errata/RHSA-2016:1095