Bug 1859334

Summary: OpenShift 4.4.5: Directory listings allowed in metal3 httpd containers
Product: OpenShift Container Platform Reporter: jteagno <jteagno+bugzilla>
Component: Bare Metal Hardware ProvisioningAssignee: Derek Higgins <derekh>
Bare Metal Hardware Provisioning sub component: ironic QA Contact: Polina Rabinovich <prabinov>
Status: CLOSED ERRATA Docs Contact:
Severity: low    
Priority: low CC: augol, beth.white, bhershbe, ealcaniz, prabinov, rbartal
Version: 4.4Keywords: Triaged
Target Milestone: ---   
Target Release: 4.6.0   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
config for the httpd service serving provisioning images has been tightened.
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-27 16:16:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Description Flags
output-res none

Description jteagno 2020-07-21 17:59:52 UTC
Description of problem:

The httpd container in the "metal3" pod in the "openshift-machine-api" namespace (used for serving bare metal ironic images) allows directory listings.

A customer has identified this as a vulnerability requiring remediation.

Version-Release number of selected component (if applicable): OpenShift 4.4.5

How reproducible:

Steps to Reproduce:
1. Install a bare metal IPI cluster
2. Browse to the "httpd" container in the "metal3" pod, something like

Actual results:

A directory listing is served.

Expected results:

No directory listing is served.

Additional info:

$ OPENSHIFT_MACHINE_API_METAL3_POD="$(oc -n openshift-machine-api get pod -l api=clusterapi,k8s-app=controller -o name | grep metal3- | cut -d/ -f2)"


$ oc -n openshift-machine-api get pod $OPENSHIFT_MACHINE_API_METAL3_POD -o json | jq -r '.spec.containers[] | select(.name=="metal3-baremetal-operator") | .env[] | select(.name=="DEPLOY_KERNEL_URL") | .value' | sed -r -e 's;/[^/]+$;;g'

$ curl -s -L | head -n12
  <title>Index of /images</title>
<h1>Index of /images</h1>
   <tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr>
   <tr><th colspan="5"><hr></th></tr>
<tr><td valign="top"><img src="/icons/back.gif" alt="[PARENTDIR]"></td><td><a href="/">Parent Directory</a>       </td><td> </td><td align="right">  - </td><td> </td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[   ]"></td><td><a href="ipa-ramdisk-pkgs.info">ipa-ramdisk-pkgs.info</a>  </td><td align="right">2020-05-18 09:02  </td><td align="right">276 </td><td> </td></tr>

The above output has been truncated.  These are the files appearing in the directory listing:

$ oc -n openshift-machine-api exec -it $OPENSHIFT_MACHINE_API_METAL3_POD -c metal3-httpd -- /bin/bash -c "ls -1 /shared/html/images"

Comment 1 Derek Higgins 2020-07-30 11:45:57 UTC
PR submitted to the upstream ironic image, I'll submit it to openshift once its merged.

Comment 4 Polina Rabinovich 2020-08-19 13:09:18 UTC
Created attachment 1711872 [details]

No directory listing is served

Comment 6 errata-xmlrpc 2020-10-27 16:16:41 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.