Bug 1763634
Summary: | CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in Grafana route | |||
---|---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Sergio G. <sgarciam> | |
Component: | Monitoring | Assignee: | Frederic Branczyk <fbranczy> | |
Status: | CLOSED ERRATA | QA Contact: | Junqi Zhao <juzhao> | |
Severity: | medium | Docs Contact: | ||
Priority: | medium | |||
Version: | 3.11.0 | CC: | alegrand, anpicker, aos-bugs, erooth, kakkoyun, lcosic, mloibl, mmasters, pkrupa, surbania | |
Target Milestone: | --- | |||
Target Release: | 3.11.z | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | If docs needed, set a value | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1772000 (view as bug list) | Environment: | ||
Last Closed: | 2019-12-16 11:57:10 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: |
Description
Sergio G.
2019-10-21 08:22:45 UTC
> The following cookie is set by the Grafana application without the Secure flag set What cookie? Can you also provide the haproxy.config (or at least the configuration block for the backend corresponding to the route)? It is possible the router set a cookie for session stickiness, but if it did, the cookie should be marked secure: https://github.com/openshift/router/blob/e7479192fadbc469e6f16ef752c5acfa99519690/images/router/haproxy/conf/haproxy-config.template#L442-L443 The referred cookie is grafana_sess. Regards, Sergio The cookie in question is set by Grafana, so I am moving this Bugzilla report to the Monitoring component (which I hope includes Grafana). It seems like the problem could be solved by adding "cookie_secure = false" to the base64-encoded grafana.ini here, but I have not tested such a change: https://github.com/openshift/cluster-monitoring-operator/blob/master/assets/grafana/config.yaml Merged the fix for 3.11 https://github.com/openshift/cluster-monitoring-operator/pull/546 We're continuing with the 4.x releases. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:4050 |