Bug 1656438

Summary: Update Bootstrap to 3.4.0
Product: OpenShift Container Platform Reporter: Bruno Andrade <bandrade>
Component: Management ConsoleAssignee: Robb Hamilton <rhamilto>
Status: CLOSED ERRATA QA Contact: Yadan Pei <yapei>
Severity: high Docs Contact:
Priority: unspecified    
Version: 3.11.0CC: aos-bugs, jokerman, mmccomas, spadgett, yanpzhan
Target Milestone: ---   
Target Release: 3.11.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: Bootstrap v3.3.5 contains a Cross-Site Scripting (XSS) vulnerability. Consequence: None as the management console does not allow user-input to be displayed via a data-target attribute. Fix: Upgrade Bootstrap to v3.4.0, which fixes the vulnerability. Result: The management console is not longer at risk of possible exploit via the Cross-Site Scripting (XSS) vulnerability in Bootstrap v3.3.5.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-01-30 15:19:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Bruno Andrade 2018-12-05 14:05:11 UTC
Description of problem:

One finding we had is that the current version of Bootstrap is v3.3.5 which is known to have some exploits.

Is there a way to use the latest Bootstrap v.4.x instead?

Version-Release number of selected component (if applicable):
3.11.0

Comment 1 Samuel Padgett 2019-01-07 15:06:35 UTC
Here is the related CVE for Bootstrap 3.3.x:

https://nvd.nist.gov/vuln/detail/CVE-2018-14041

Our evaluation is that this is NOT exploitable in OpenShift console as we do not put unknown content into a `data-target` attribute. Regardless, we plan to update to Bootstrap to 3.4.0 in OpenShift 3.11.z, which has a fix for the CVE in Bootstrap:

https://blog.getbootstrap.com/2018/12/13/bootstrap-3-4-0/

Comment 2 Robb Hamilton 2019-01-07 16:20:24 UTC
PR to resolve: https://github.com/openshift/origin-web-console/pull/3105

Comment 4 Yanping Zhang 2019-01-15 03:07:06 UTC
OpenShift Master:
v3.11.69
Kubernetes Master:
v1.11.0+d4cacc0
OpenShift Web Console:
v3.11.69

Tested on ocp 3.11 env with above version, checked in <server>/console/styles/main.css, it indicates bootstrap with version v3.4.0 now.

 * Bootstrap v3.4.0 (https://getbootstrap.com/)
 * Copyright 2011-2018 Twitter, Inc.
 * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE)

I think the bug has been fixed, move it to Verified. If there is something wrong, pls point out, thanks!

Comment 6 errata-xmlrpc 2019-01-30 15:19:31 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0096