Bug 1694913
| Summary: | web-console: CORS allowed origin too permissive | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Jason Shepherd <jshepherd> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED WONTFIX | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | ahardin, bleanhar, ccoleman, dbaker, dedgar, dranders, eparis, grocha, jgoulding, jokerman, mchappel, security-response-team |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
OpenShift Container Platform (OCP) 3.6, and earlier versions, were too permissive in the way it specified CORS allowed origins during installation. An attacker able to perform an XSS attack on a vulnerable cluster can use this flaw to perform a phishing attack.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-20 07:11:44 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1695410 | ||
| Bug Blocks: | 1694910 | ||
|
Description
Jason Shepherd
2019-04-02 03:40:25 UTC
Acknowledgments: Name: Dave Baker (Red Hat) One liner detection script - this will return any values in the corsAllowedOrigins list that do not start with the suggested regex pre-amble.
$ sed -ne '/^corsAllowedOrigins:/,/^[a-z]/{ /^s*-\s*[a-z]/p }' /etc/origin/master/master-config.yaml
Statement:
While this issue was fixed in the installer for OCP 3.7 and later, a cluster originally installed with 3.6, then upgraded using the openshift-ansible tool remains vulnerable to this issue.
To detect if an OCP cluster is vulnerable, run this script on any master node in the cluster. Any output generated indicates poorly formatted lines that need mitigation.
$ sed -ne '/^corsAllowedOrigins:/,/^[a-z]/{ /^s*-\s*[a-zA-Z0-9]/p }' /etc/origin/master/master-config.yaml
Mitigation: Ensure that the corsAllowedOrigin definition within master-config.yaml contains elements in the form ~~~ corsAllowedOrigins: - (?i)//my\.subdomain\.domain\.com(:|\z) ~~~ and not the form ~~~ corsAllowedOrigins: - domain.com ~~~ as the first will permit cross origin requests only if the host matches exactly, whereas the second will permit from any host that merely contains the string (such as ABCDdomain.com or even domain.comABCD.com). |