1318796 – HAproxy sets a cookie that contains the internal IP address of a pod

Bug 1318796 - HAproxy sets a cookie that contains the internal IP address of a pod

Summary: HAproxy sets a cookie that contains the internal IP address of a pod

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	OKD
Classification:	Red Hat
Component:	Routing
Sub Component:
Version:	3.x
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Phil Cameron
QA Contact:	zhaozhanqi
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	OSOPS_V3 CVE-2016-3711
TreeView+	depends on / blocked

Reported:	2016-03-17 20:40 UTC by Sten Turpin
Modified:	2019-11-14 07:37 UTC (History)
CC List:	7 users (show)
Fixed In Version:	atomic-openshift-3.2.0.20
Doc Type:	Bug Fix
Doc Text:	Cause: missing code Consequence: IP is in clear text Fix: obscure target IP address in cookie hashing the ip addressa along with other route information Result: IP is obsured.
Clone Of:
Environment:
Last Closed:	2016-07-08 13:16:33 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Sten Turpin 2016-03-17 20:40:07 UTC

Description of problem: During security analysis, a customer found that a cookie was being set with the name of "OPENSHIFT_<namespace>_SERVERID", containing the internal IP address of the pod.

Version-Release number of selected component (if applicable): registry.access.redhat.com/openshift3/ose-haproxy-router        v3.1.1.6


How reproducible: always


Steps to Reproduce:
1. browse to an app served by the cluster
2. cookie is set

Actual results:
cookie contains the pod IP address

Expected results:
Cookie should not contain identifiable information. Per the customer: "The weakness provides a potential attacker with information on the internal network the site is residing on. Information such as IP schemes allow an attacker to develop a more comprehensive attack plan to pivot on the network or evade detection."

Additional info:

Comment 2 Ben Bennett 2016-04-04 18:36:51 UTC

https://github.com/openshift/origin/pull/8334

Comment 3 Phil Cameron 2016-04-08 15:10:23 UTC

Test added to 
https://github.com/openshift/origin/pull/8334

Comment 4 Phil Cameron 2016-04-12 19:03:54 UTC

https://github.com/openshift/origin/pull/8334 
Fix is Merged in openshift/origin.

Comment 5 Eric Rich 2016-04-18 13:16:01 UTC

This does not look to be merged. Can you confirm that it is merged?

Comment 6 Phil Cameron 2016-04-18 13:24:43 UTC

Eric Rich, As far as I know Eric Paris merged the fix. What information do you need?

Comment 7 Eric Rich 2016-04-18 13:42:07 UTC

(In reply to Phil Cameron from comment #6)
> Eric Rich, As far as I know Eric Paris merged the fix. What information do
> you need?

PR up stream is not merged, but open. This is what I am referring to. https://github.com/openshift/origin/pull/8334

Comment 8 Ben Bennett 2016-04-20 15:24:29 UTC

PR has merged.

Comment 9 zhaozhanqi 2016-04-21 08:07:06 UTC

rebuild router image using the latest code

and check the cookies values have changed to hash

verified this bug.

Note You need to log in before you can comment on or make changes to this bug.