Bug 2001240

Summary: Remove response headers for downloads of binaries from OpenShift WebConsole
Product: OpenShift Container Platform Reporter: Radomir Ludva <rludva>
Component: Management ConsoleAssignee: Jakub Hadvig <jhadvig>
Status: CLOSED ERRATA QA Contact: Yadan Pei <yapei>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.6CC: aos-bugs, spadgett, wking, yapei
Target Milestone: ---   
Target Release: 4.10.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-03-10 16:07:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2002878    

Description Radomir Ludva 2021-09-04 18:17:56 UTC 
Description of problem:
-----------------------
The GET method is showing in the headers of HTTP Python/SimpleHTTP module and Python version. This kind of technical information can be used by an attacker to better plan and target its attack. It is expected to remove this information. Additionally it is expected to use dedicated http server for production purpose.


Version-Release number of selected component:
---------------------------------------------
- OCP v3.11.x


How reproducible:
-----------------
```
$ curl -k -v https://downloads-openshift-console.apps.cluster.example.com/amd64/linux-v
* About to connect() to downloads-openshift-console.apps.cluster.example.com/ port 443 (#0)
*   Trying 10.0.90.215...
* Connected to downloads-openshift-console.apps.cluster.example.com/ (10.0.90.215) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* 	subject: CN=*.apps.cluster.example.com
* 	start date: srp 29 02:51:11 2021 GMT
* 	expire date: srp 29 02:51:12 2023 GMT
* 	common name: *.apps.cluster.example.com/
* 	issuer: CN=ingress-operator@1630205020
> GET /amd64/linux-v HTTP/1.1
> User-Agent: curl/7.29.0
> Host: downloads-openshift-console.apps.cluster.example.com/> Accept: */*
> 
* HTTP 1.0, assume close after body
< HTTP/1.0 404 File not found
< server: SimpleHTTP/0.6 Python/3.6.8
< date: Thu, 02 Sep 2021 11:15:24 GMT
< content-type: text/html;charset=utf-8
< content-length: 469
< set-cookie: a663438294fbd72a8e16964e97c8ecde=4bc0813e6e425460c0d603d0df029034; path=/; HttpOnly; Secure; SameSite=None
< cache-control: private
* HTTP/1.0 connection set to keep alive!
< connection: keep-alive
< 
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
        "http://www.w3.org/TR/html4/strict.dtd">
<html>
    <head>
```

Actual results:
---------------
- In the header is information about used HTTP server and Python version: server: SimpleHTTP/0.6 Python/3.6.8

Expected results:
-----------------
- It is expected to remove this information for security reason
- It is recommend to not use Python SimpleHTTP module which is not dedicated for production purpose
Comment 1 Jakub Hadvig 2021-09-06 09:50:29 UTC 
Hi Radomir.
To clear the purpose of the SimpleHTTP Python server, we are using it only for serving 'oc' binaries so they can be downloaded for any user(they dont even have to be logged in to the OCP). They are also publicly available on github, that why we have been using it without any security issues. For that reason I dont think this is an issue.
With this justification could this issue be closed?
Comment 2 Radomir Ludva 2021-09-06 11:48:34 UTC 
Hello, Jakub, Yes I understand. It is clear. But the customer wants to remove the information about the used technology which is displayed in the HTTP Header. 
Because of the warning from their security team to do not export this kind of information.
Comment 3 Jakub Hadvig 2021-09-06 14:17:16 UTC 
Based on conversation with Radovan, changing the BZ's Version to 4.6 since thats the OCP version, which affected customer is currently on.
Comment 9 errata-xmlrpc 2022-03-10 16:07:08 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056