Bug 1859334

Summary: OpenShift 4.4.5: Directory listings allowed in metal3 httpd containers
Product: OpenShift Container Platform Reporter: jteagno <jteagno+bugzilla>
Component: Bare Metal Hardware ProvisioningAssignee: Derek Higgins <derekh>
Bare Metal Hardware Provisioning sub component: ironic QA Contact: Polina Rabinovich <prabinov>
Status: CLOSED ERRATA Docs Contact:
Severity: low    
Priority: low CC: augol, beth.white, bhershbe, ealcaniz, prabinov, rbartal
Version: 4.4Keywords: Triaged
Target Milestone: ---   
Target Release: 4.6.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
config for the httpd service serving provisioning images has been tightened.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-27 16:16:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
output-res none

Description jteagno 2020-07-21 17:59:52 UTC 
Description of problem:

The httpd container in the "metal3" pod in the "openshift-machine-api" namespace (used for serving bare metal ironic images) allows directory listings.

A customer has identified this as a vulnerability requiring remediation.


Version-Release number of selected component (if applicable): OpenShift 4.4.5


How reproducible:


Steps to Reproduce:
1. Install a bare metal IPI cluster
2. Browse to the "httpd" container in the "metal3" pod, something like http://172.22.0.7:6180/images/

Actual results:

A directory listing is served.


Expected results:

No directory listing is served.


Additional info:

$ OPENSHIFT_MACHINE_API_METAL3_POD="$(oc -n openshift-machine-api get pod -l api=clusterapi,k8s-app=controller -o name | grep metal3- | cut -d/ -f2)"

$ echo $OPENSHIFT_MACHINE_API_METAL3_POD
metal3-6674ffcfb-zt6sd

$ oc -n openshift-machine-api get pod $OPENSHIFT_MACHINE_API_METAL3_POD -o json | jq -r '.spec.containers[] | select(.name=="metal3-baremetal-operator") | .env[] | select(.name=="DEPLOY_KERNEL_URL") | .value' | sed -r -e 's;/[^/]+$;;g'
http://172.22.0.7:6180/images

$ curl -s -L http://172.22.0.7:6180/images | head -n12
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>
  <title>Index of /images</title>
 </head>
 <body>
<h1>Index of /images</h1>
  <table>
   <tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr>
   <tr><th colspan="5"><hr></th></tr>
<tr><td valign="top"><img src="/icons/back.gif" alt="[PARENTDIR]"></td><td><a href="/">Parent Directory</a>       </td><td> </td><td align="right">  - </td><td> </td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[   ]"></td><td><a href="ipa-ramdisk-pkgs.info">ipa-ramdisk-pkgs.info</a>  </td><td align="right">2020-05-18 09:02  </td><td align="right">276 </td><td> </td></tr>

The above output has been truncated.  These are the files appearing in the directory listing:

$ oc -n openshift-machine-api exec -it $OPENSHIFT_MACHINE_API_METAL3_POD -c metal3-httpd -- /bin/bash -c "ls -1 /shared/html/images"
ipa-ramdisk-pkgs.info
ironic-python-agent.initramfs
ironic-python-agent.kernel
rhcos-4.4.3-x86_64-openstack.x86_64.qcow2
rhcos-ootpa-latest.qcow2
rhcos-ootpa-latest.qcow2.md5sum
Comment 1 Derek Higgins 2020-07-30 11:45:57 UTC 
PR submitted to the upstream ironic image, I'll submit it to openshift once its merged.
Comment 4 Polina Rabinovich 2020-08-19 13:09:18 UTC 
Created attachment 1711872 [details]
output-res

No directory listing is served
Comment 6 errata-xmlrpc 2020-10-27 16:16:41 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196
Comment 7 Polina Rabinovich 2020-11-09 08:25:32 UTC 
https://polarion.engineering.redhat.com/polarion/#/project/OSE/workitem?id=OCP-36371