Bug 1763634

Summary: CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in Grafana route
Product: OpenShift Container Platform Reporter: Sergio G. <sgarciam>
Component: MonitoringAssignee: Frederic Branczyk <fbranczy>
Status: CLOSED ERRATA QA Contact: Junqi Zhao <juzhao>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.11.0CC: alegrand, anpicker, aos-bugs, erooth, kakkoyun, lcosic, mloibl, mmasters, pkrupa, surbania
Target Milestone: ---   
Target Release: 3.11.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1772000 (view as bug list) Environment:
Last Closed: 2019-12-16 11:57:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Sergio G. 2019-10-21 08:22:45 UTC 
Locations
https://grafana-openshift-monitoring.apps.test.labs.com

Description
The secure flag is used to prevent any sensitive cookie values from being sent over an unencrypted channel. When the secure flag is set by the server the browser will not transmit the cookie over HTTP The affected application fails to set this flag on what appears to be a session token. A suitable placed attacker could perform a Man in the Middle attack to downgrade an SSL connection from a client and capture the cookie value when it sent over HTTP even if the backend server rejects the connection the client will still attempt to send it via HTTP.

Exploitation
The following cookie is set by the Grafana application without the Secure flag set

Recommendations
The secure flag should be set on all cookies that are used for transmitting sensitive data when accessing content over HTTPS – including session tokens.

References
https://cwe.mitre.org/data/definitions/614.html
Comment 1 Miciah Dashiel Butler Masters 2019-11-06 15:56:54 UTC 
> The following cookie is set by the Grafana application without the Secure flag set

What cookie?  Can you also provide the haproxy.config (or at least the configuration block for the backend corresponding to the route)?

It is possible the router set a cookie for session stickiness, but if it  did, the cookie should be marked secure:  https://github.com/openshift/router/blob/e7479192fadbc469e6f16ef752c5acfa99519690/images/router/haproxy/conf/haproxy-config.template#L442-L443
Comment 2 Sergio G. 2019-11-12 07:14:20 UTC 
The referred cookie is grafana_sess.

Regards,
Sergio
Comment 3 Miciah Dashiel Butler Masters 2019-11-12 18:01:18 UTC 
The cookie in question is set by Grafana, so I am moving this Bugzilla report to the Monitoring component (which I hope includes Grafana).

It seems like the problem could be solved by adding "cookie_secure = false" to the base64-encoded grafana.ini here, but I have not tested such a change: https://github.com/openshift/cluster-monitoring-operator/blob/master/assets/grafana/config.yaml
Comment 4 Frederic Branczyk 2019-11-13 11:48:57 UTC 
Merged the fix for 3.11 https://github.com/openshift/cluster-monitoring-operator/pull/546

We're continuing with the 4.x releases.
Comment 8 errata-xmlrpc 2019-12-16 11:57:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:4050