1656438 – Update Bootstrap to 3.4.0

Bug 1656438 - Update Bootstrap to 3.4.0

Summary: Update Bootstrap to 3.4.0

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Management Console
Sub Component:
Version:	3.11.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	3.11.z
Assignee:	Robb Hamilton
QA Contact:	Yadan Pei
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-12-05 14:05 UTC by Bruno Andrade
Modified:	2022-03-13 16:21 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Cause: Bootstrap v3.3.5 contains a Cross-Site Scripting (XSS) vulnerability. Consequence: None as the management console does not allow user-input to be displayed via a data-target attribute. Fix: Upgrade Bootstrap to v3.4.0, which fixes the vulnerability. Result: The management console is not longer at risk of possible exploit via the Cross-Site Scripting (XSS) vulnerability in Bootstrap v3.3.5.
Clone Of:
Environment:
Last Closed:	2019-01-30 15:19:31 UTC
Target Upstream Version:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2019:0096	0	None	None	None	2019-01-30 15:19:36 UTC

Description Bruno Andrade 2018-12-05 14:05:11 UTC

Description of problem:

One finding we had is that the current version of Bootstrap is v3.3.5 which is known to have some exploits.

Is there a way to use the latest Bootstrap v.4.x instead?

Version-Release number of selected component (if applicable):
3.11.0

Comment 1 Samuel Padgett 2019-01-07 15:06:35 UTC

Here is the related CVE for Bootstrap 3.3.x:

https://nvd.nist.gov/vuln/detail/CVE-2018-14041

Our evaluation is that this is NOT exploitable in OpenShift console as we do not put unknown content into a `data-target` attribute. Regardless, we plan to update to Bootstrap to 3.4.0 in OpenShift 3.11.z, which has a fix for the CVE in Bootstrap:

https://blog.getbootstrap.com/2018/12/13/bootstrap-3-4-0/

Comment 2 Robb Hamilton 2019-01-07 16:20:24 UTC

PR to resolve: https://github.com/openshift/origin-web-console/pull/3105

Comment 4 Yanping Zhang 2019-01-15 03:07:06 UTC

OpenShift Master:
v3.11.69
Kubernetes Master:
v1.11.0+d4cacc0
OpenShift Web Console:
v3.11.69

Tested on ocp 3.11 env with above version, checked in <server>/console/styles/main.css, it indicates bootstrap with version v3.4.0 now.

 * Bootstrap v3.4.0 (https://getbootstrap.com/)
 * Copyright 2011-2018 Twitter, Inc.
 * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE)

I think the bug has been fixed, move it to Verified. If there is something wrong, pls point out, thanks!

Comment 6 errata-xmlrpc 2019-01-30 15:19:31 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0096

Note You need to log in before you can comment on or make changes to this bug.