Bug 1656438 - Update Bootstrap to 3.4.0
Summary: Update Bootstrap to 3.4.0
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Management Console
Version: 3.11.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: 3.11.z
Assignee: Robb Hamilton
QA Contact: Yadan Pei
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-12-05 14:05 UTC by Bruno Andrade
Modified: 2019-01-30 15:19 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: Bootstrap v3.3.5 contains a Cross-Site Scripting (XSS) vulnerability. Consequence: None as the management console does not allow user-input to be displayed via a data-target attribute. Fix: Upgrade Bootstrap to v3.4.0, which fixes the vulnerability. Result: The management console is not longer at risk of possible exploit via the Cross-Site Scripting (XSS) vulnerability in Bootstrap v3.3.5.
Clone Of:
Environment:
Last Closed: 2019-01-30 15:19:31 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:0096 None None None 2019-01-30 15:19:36 UTC

Description Bruno Andrade 2018-12-05 14:05:11 UTC
Description of problem:

One finding we had is that the current version of Bootstrap is v3.3.5 which is known to have some exploits.

Is there a way to use the latest Bootstrap v.4.x instead?

Version-Release number of selected component (if applicable):
3.11.0

Comment 1 Samuel Padgett 2019-01-07 15:06:35 UTC
Here is the related CVE for Bootstrap 3.3.x:

https://nvd.nist.gov/vuln/detail/CVE-2018-14041

Our evaluation is that this is NOT exploitable in OpenShift console as we do not put unknown content into a `data-target` attribute. Regardless, we plan to update to Bootstrap to 3.4.0 in OpenShift 3.11.z, which has a fix for the CVE in Bootstrap:

https://blog.getbootstrap.com/2018/12/13/bootstrap-3-4-0/

Comment 2 Robb Hamilton 2019-01-07 16:20:24 UTC
PR to resolve: https://github.com/openshift/origin-web-console/pull/3105

Comment 4 Yanping Zhang 2019-01-15 03:07:06 UTC
OpenShift Master:
v3.11.69
Kubernetes Master:
v1.11.0+d4cacc0
OpenShift Web Console:
v3.11.69

Tested on ocp 3.11 env with above version, checked in <server>/console/styles/main.css, it indicates bootstrap with version v3.4.0 now.

 * Bootstrap v3.4.0 (https://getbootstrap.com/)
 * Copyright 2011-2018 Twitter, Inc.
 * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE)

I think the bug has been fixed, move it to Verified. If there is something wrong, pls point out, thanks!

Comment 6 errata-xmlrpc 2019-01-30 15:19:31 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0096


Note You need to log in before you can comment on or make changes to this bug.