1763634 – CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in Grafana route

Bug 1763634 - CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in Grafana route

Summary: CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in Graf...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Monitoring
Sub Component:
Version:	3.11.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	3.11.z
Assignee:	Frederic Branczyk
QA Contact:	Junqi Zhao
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-10-21 08:22 UTC by Sergio G.
Modified:	2023-03-24 15:43 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1772000 (view as bug list)
Environment:
Last Closed:	2019-12-16 11:57:10 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2019:4050	0	None	None	None	2019-12-16 11:57:26 UTC

Description Sergio G. 2019-10-21 08:22:45 UTC

Locations
https://grafana-openshift-monitoring.apps.test.labs.com

Description
The secure flag is used to prevent any sensitive cookie values from being sent over an unencrypted channel. When the secure flag is set by the server the browser will not transmit the cookie over HTTP The affected application fails to set this flag on what appears to be a session token. A suitable placed attacker could perform a Man in the Middle attack to downgrade an SSL connection from a client and capture the cookie value when it sent over HTTP even if the backend server rejects the connection the client will still attempt to send it via HTTP.

Exploitation
The following cookie is set by the Grafana application without the Secure flag set

Recommendations
The secure flag should be set on all cookies that are used for transmitting sensitive data when accessing content over HTTPS – including session tokens.

References
https://cwe.mitre.org/data/definitions/614.html

Comment 1 Miciah Dashiel Butler Masters 2019-11-06 15:56:54 UTC

> The following cookie is set by the Grafana application without the Secure flag set

What cookie?  Can you also provide the haproxy.config (or at least the configuration block for the backend corresponding to the route)?

It is possible the router set a cookie for session stickiness, but if it  did, the cookie should be marked secure:  https://github.com/openshift/router/blob/e7479192fadbc469e6f16ef752c5acfa99519690/images/router/haproxy/conf/haproxy-config.template#L442-L443

Comment 2 Sergio G. 2019-11-12 07:14:20 UTC

The referred cookie is grafana_sess.

Regards,
Sergio

Comment 3 Miciah Dashiel Butler Masters 2019-11-12 18:01:18 UTC

The cookie in question is set by Grafana, so I am moving this Bugzilla report to the Monitoring component (which I hope includes Grafana).

It seems like the problem could be solved by adding "cookie_secure = false" to the base64-encoded grafana.ini here, but I have not tested such a change: https://github.com/openshift/cluster-monitoring-operator/blob/master/assets/grafana/config.yaml

Comment 4 Frederic Branczyk 2019-11-13 11:48:57 UTC

Merged the fix for 3.11 https://github.com/openshift/cluster-monitoring-operator/pull/546

We're continuing with the 4.x releases.

Comment 8 errata-xmlrpc 2019-12-16 11:57:10 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:4050

Note You need to log in before you can comment on or make changes to this bug.