Bug 1980235

Summary: OAuth proxy version is displayed should be removed.
Product: OpenShift Container Platform Reporter: Nitish Kaushik <nkaushik>
Component: oauth-proxyAssignee: Standa Laznicka <slaznick>
Status: CLOSED ERRATA QA Contact: Ke Wang <kewang>
Severity: low Docs Contact:
Priority: medium    
Version: 4.6CC: aos-bugs, kewang, liyao, mfojtik, slaznick, surbania
Target Milestone: ---   
Target Release: 4.9.0   
Hardware: All   
OS: Other   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-18 17:38:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nitish Kaushik 2021-07-08 07:37:39 UTC 
Description of problem:

During a penetration tests we had a medium warning regarding the official OAuth proxy image.
The version is displayed in the page footer 
This information can be useful for an attacker if an exploitable vulnerability exists for that version in order to compromise the server.

Could you please fix it in the official image ?


Version-Release number of selected component (if applicable): OCP 4.6

oauth proxy version(2.3.0) 

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 2 Standa Laznicka 2021-07-08 07:41:09 UTC 
The oauth-proxy version has been the same for the course of OpenShift 4.x lifetime, although there were a bunch of changes to the binary. We no longer use these versions so I'll see if we can just easily remove it.
Comment 5 Standa Laznicka 2021-07-09 12:44:25 UTC 
I don't see a backport all the way to 4.6 as a very likely option. Given the fact that the displayed version really has no further meaning it would probably not pass as a prioritized enough fix to be ported all the way back, I'm afraid.
Comment 8 Sergiusz Urbaniak 2021-08-17 09:23:51 UTC 
sprint review: @QA: please submit sprint review status
Comment 11 Ke Wang 2021-09-23 06:26:49 UTC 
Verified with OCP 4.9.0-0.nightly-2021-09-22-171016 payload,steps as below,
1. logged in web-console of cluster with kubeadmin.
2. Navigate to Networking -> Routes, browse the web links of prometheus and alertmanager, checked the logging in page, the oauth-proxy was displayed without versions.
Pasted the related screen-shots.
Comment 15 errata-xmlrpc 2021-10-18 17:38:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:3759