Description of problem: During security analysis, a customer found that a cookie was being set with the name of "OPENSHIFT_<namespace>_SERVERID", containing the internal IP address of the pod. Version-Release number of selected component (if applicable): registry.access.redhat.com/openshift3/ose-haproxy-router v3.1.1.6 How reproducible: always Steps to Reproduce: 1. browse to an app served by the cluster 2. cookie is set Actual results: cookie contains the pod IP address Expected results: Cookie should not contain identifiable information. Per the customer: "The weakness provides a potential attacker with information on the internal network the site is residing on. Information such as IP schemes allow an attacker to develop a more comprehensive attack plan to pivot on the network or evade detection." Additional info:
https://github.com/openshift/origin/pull/8334
Test added to https://github.com/openshift/origin/pull/8334
https://github.com/openshift/origin/pull/8334 Fix is Merged in openshift/origin.
This does not look to be merged. Can you confirm that it is merged?
Eric Rich, As far as I know Eric Paris merged the fix. What information do you need?
(In reply to Phil Cameron from comment #6) > Eric Rich, As far as I know Eric Paris merged the fix. What information do > you need? PR up stream is not merged, but open. This is what I am referring to. https://github.com/openshift/origin/pull/8334
PR has merged.
rebuild router image using the latest code and check the cookies values have changed to hash verified this bug.