Bug 2175960

Summary: [NooBaa]CWE-693: Protection Mechanism Failure detected in ODF 4.10 Noobaa
Product: [Red Hat Storage] Red Hat OpenShift Data Foundation Reporter: James Biao <jbiao>
Component: Multi-Cloud Object GatewayAssignee: Nimrod Becker <nbecker>
Status: CLOSED WONTFIX QA Contact: krishnaram Karthick <kramdoss>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.10CC: gbanchelli, hnallurv, mhackett, nbecker, ocs-bugs, odf-bz-bot
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-02 22:45:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description James Biao 2023-03-06 23:47:45 UTC 
Description of problem (please be detailed as possible and provide log
snippests):

* Issue detail: A security scan performed on the OCP cluster with a Qualys tool has highlighted a potential weakness in the Noobaa component which s listening on ports 30194, 32466, 31482.

This QID reports the absence of the following HTTP headers (https://www.owasp.org/index.php/OWASP_Secure_Headers_Projecttab=Headers) according to CWE-693: Protection Mechanism Failure (https://cwe.mitre.org/data/definitions/693.html): 

X-Content-Type-Options: This HTTP header will prevent the browser from interpreting files as a different MIME type to what is specified in the Content-Type HTTP header.  
Strict-Transport-Security: The HTTP Strict-Transport-Security response header (HSTS) allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol. 

 QID Detection Logic: 
This unauthenticated QID looks for the presence of the following HTTP responses: 
The Valid directives are as belows:
X-Content-Type-Options: nosniff 
Strict-Transport-Security: max-age=< [;includeSubDomains]



Version of all relevant components (if applicable):
ODF 4.10

Does this issue impact your ability to continue to work with the product
(please explain in detail what is the user impact)?
Yes. Security risk

Is there any workaround available to the best of your knowledge?
no

Rate from 1 - 5 the complexity of the scenario you performed that caused this
bug (1 - very simple, 5 - very complex)?


Can this issue reproducible?
Yes

Can this issue reproduce from the UI?
n/a

If this is a regression, please provide more details to justify this:


Steps to Reproduce:
1. Install ODF 4.10
2.Scan with with a Qualys tool
3.


Actual results:
NooBaa listening on ports  30194, 32466, 31482 

Expected results:
NooBaa not listening on ports  30194, 32466, 31482 

Additional info: