OpenShift Container Platform 3.6 and earlier versions were too permissive in way it specified CORS allowed origins. An attacker able to perform an XSS attack on a vulnerable OCP cluster can use this flaw to perform a phishing attack.
Acknowledgments: Name: Dave Baker (Red Hat)
One liner detection script - this will return any values in the corsAllowedOrigins list that do not start with the suggested regex pre-amble. $ sed -ne '/^corsAllowedOrigins:/,/^[a-z]/{ /^s*-\s*[a-z]/p }' /etc/origin/master/master-config.yaml
Statement: While this issue was fixed in the installer for OCP 3.7 and later, a cluster originally installed with 3.6, then upgraded using the openshift-ansible tool remains vulnerable to this issue. To detect if an OCP cluster is vulnerable, run this script on any master node in the cluster. Any output generated indicates poorly formatted lines that need mitigation. $ sed -ne '/^corsAllowedOrigins:/,/^[a-z]/{ /^s*-\s*[a-zA-Z0-9]/p }' /etc/origin/master/master-config.yaml
Mitigation: Ensure that the corsAllowedOrigin definition within master-config.yaml contains elements in the form ~~~ corsAllowedOrigins: - (?i)//my\.subdomain\.domain\.com(:|\z) ~~~ and not the form ~~~ corsAllowedOrigins: - domain.com ~~~ as the first will permit cross origin requests only if the host matches exactly, whereas the second will permit from any host that merely contains the string (such as ABCDdomain.com or even domain.comABCD.com).