Bug 2059122

Summary: Hiding Server Name HTTP header from TornadoServer(used in pcs/pcsd)
Product: Red Hat Enterprise Linux 9 Reporter: Tomas Jelinek <tojeline>
Component: pcsAssignee: Ivan Devat <idevat>
Status: CLOSED ERRATA QA Contact: cluster-qe <cluster-qe>
Severity: low Docs Contact:
Priority: low    
Version: 9.0CC: cluster-maint, cluster-qe, idevat, mlisik, mmazoure, mpospisi, nhostako, omular, revijaya, sbradley, security-response-team, tojeline
Target Milestone: rcKeywords: Security, Triaged
Target Release: 9.1   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: pcs-0.11.3-1.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 2058278 Environment:
Last Closed: 2022-11-15 09:49:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Jelinek 2022-02-28 09:16:36 UTC 
+++ This bug was initially created as a clone of Bug #2058278 +++

Description of problem:
When a HTTP request is made against a cluster node running pcsd, the HTTP response contains HTTP Server name in its headers.
This is perceived as a security thread.
This bug report is opened to investigate whether there is a way to hide that header or prevent disclosing the server name in a different way.

Version-Release number of selected component (if applicable):
pcs-0.10.10-4.el8.x86_64


How reproducible:
Easily, every time.


Steps to Reproduce:
1.Install and start pcsd
2. Send a http request to the node
# curl -kv https://localhost:2224 2>&1 | awk '/Server:/'
< Server: TornadoServer/6.1



Actual results:
# curl -kv https://localhost:2224 2>&1 | awk '/Server:/'
< Server: TornadoServer/6.1


Expected results:
# curl -kv https://localhost:2224 2>&1 | awk '/Server:/'
< Server:


Or Following line is obfuscated/nullified/hidden.
< Server: TornadoServer/6.1



Additional info:

--- Additional comment from RESHMA K VIJAYAN on 2022-02-24 17:03:12 CET ---

We already have one present for RHEL 7 : https://bugzilla.redhat.com/show_bug.cgi?id=1765606
Comment 2 Ivan Devat 2022-06-17 07:20:20 UTC 
https://github.com/ClusterLabs/pcs/commit/c19bd4f07c6baeb28ec727059a9f3a96cb2a9d84
Comment 3 Miroslav Lisik 2022-06-24 13:09:45 UTC 
DevTestResults:

[root@r91-1 pcs]# rpm -q pcs
pcs-0.11.3-1.el9.x86_64

[root@r91-1 pcs]# systemctl show -p ActiveState pcsd
ActiveState=active
[root@r91-1 pcs]# curl -kv https://localhost:2224 |& awk '/Server:/'

No HTTP header Server.
Comment 9 errata-xmlrpc 2022-11-15 09:49:09 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: pcs security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:7935