Bug 1656438

Summary: Update Bootstrap to 3.4.0
Product: OpenShift Container Platform Reporter: Bruno Andrade <bandrade>
Component: Management ConsoleAssignee: Robb Hamilton <rhamilto>
Status: CLOSED ERRATA QA Contact: Yadan Pei <yapei>
Severity: high Docs Contact:
Priority: unspecified    
Version: 3.11.0CC: aos-bugs, jokerman, mmccomas, spadgett, yanpzhan
Target Milestone: ---   
Target Release: 3.11.z   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: Bootstrap v3.3.5 contains a Cross-Site Scripting (XSS) vulnerability. Consequence: None as the management console does not allow user-input to be displayed via a data-target attribute. Fix: Upgrade Bootstrap to v3.4.0, which fixes the vulnerability. Result: The management console is not longer at risk of possible exploit via the Cross-Site Scripting (XSS) vulnerability in Bootstrap v3.3.5.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-01-30 15:19:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Bruno Andrade 2018-12-05 14:05:11 UTC
Description of problem:

One finding we had is that the current version of Bootstrap is v3.3.5 which is known to have some exploits.

Is there a way to use the latest Bootstrap v.4.x instead?

Version-Release number of selected component (if applicable):

Comment 1 Samuel Padgett 2019-01-07 15:06:35 UTC
Here is the related CVE for Bootstrap 3.3.x:


Our evaluation is that this is NOT exploitable in OpenShift console as we do not put unknown content into a `data-target` attribute. Regardless, we plan to update to Bootstrap to 3.4.0 in OpenShift 3.11.z, which has a fix for the CVE in Bootstrap:


Comment 2 Robb Hamilton 2019-01-07 16:20:24 UTC
PR to resolve: https://github.com/openshift/origin-web-console/pull/3105

Comment 4 Yanping Zhang 2019-01-15 03:07:06 UTC
OpenShift Master:
Kubernetes Master:
OpenShift Web Console:

Tested on ocp 3.11 env with above version, checked in <server>/console/styles/main.css, it indicates bootstrap with version v3.4.0 now.

 * Bootstrap v3.4.0 (https://getbootstrap.com/)
 * Copyright 2011-2018 Twitter, Inc.
 * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE)

I think the bug has been fixed, move it to Verified. If there is something wrong, pls point out, thanks!

Comment 6 errata-xmlrpc 2019-01-30 15:19:31 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.