Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1772000

Summary: CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in Grafana route
Product: OpenShift Container Platform Reporter: Frederic Branczyk <fbranczy>
Component: MonitoringAssignee: Frederic Branczyk <fbranczy>
Status: CLOSED ERRATA QA Contact: Junqi Zhao <juzhao>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.3.0CC: alegrand, anpicker, aos-bugs, erooth, juzhao, kakkoyun, lcosic, mloibl, mmasters, pkrupa, sgarciam, surbania
Target Milestone: ---   
Target Release: 4.3.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1763634 Environment:
Last Closed: 2020-01-23 11:12:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Frederic Branczyk 2019-11-13 11:58:06 UTC 
+++ This bug was initially created as a clone of Bug #1763634 +++

Locations
https://grafana-openshift-monitoring.apps.test.labs.com

Description
The secure flag is used to prevent any sensitive cookie values from being sent over an unencrypted channel. When the secure flag is set by the server the browser will not transmit the cookie over HTTP The affected application fails to set this flag on what appears to be a session token. A suitable placed attacker could perform a Man in the Middle attack to downgrade an SSL connection from a client and capture the cookie value when it sent over HTTP even if the backend server rejects the connection the client will still attempt to send it via HTTP.

Exploitation
The following cookie is set by the Grafana application without the Secure flag set

Recommendations
The secure flag should be set on all cookies that are used for transmitting sensitive data when accessing content over HTTPS – including session tokens.

References
https://cwe.mitre.org/data/definitions/614.html

--- Additional comment from Miciah Dashiel Butler Masters on 2019-11-06 15:56:54 UTC ---

> The following cookie is set by the Grafana application without the Secure flag set

What cookie?  Can you also provide the haproxy.config (or at least the configuration block for the backend corresponding to the route)?

It is possible the router set a cookie for session stickiness, but if it  did, the cookie should be marked secure:  https://github.com/openshift/router/blob/e7479192fadbc469e6f16ef752c5acfa99519690/images/router/haproxy/conf/haproxy-config.template#L442-L443

--- Additional comment from Sergio G. on 2019-11-12 07:14:20 UTC ---

The referred cookie is grafana_sess.

Regards,
Sergio

--- Additional comment from Miciah Dashiel Butler Masters on 2019-11-12 18:01:18 UTC ---

The cookie in question is set by Grafana, so I am moving this Bugzilla report to the Monitoring component (which I hope includes Grafana).

It seems like the problem could be solved by adding "cookie_secure = false" to the base64-encoded grafana.ini here, but I have not tested such a change: https://github.com/openshift/cluster-monitoring-operator/blob/master/assets/grafana/config.yaml

--- Additional comment from Frederic Branczyk on 2019-11-13 11:48:57 UTC ---

Merged the fix for 3.11 https://github.com/openshift/cluster-monitoring-operator/pull/546

We're continuing with the 4.x releases.
Comment 1 Frederic Branczyk 2019-11-13 12:00:52 UTC 
Unlinking bugs just for 4.x bugzilla tooling to work.
Comment 6 errata-xmlrpc 2020-01-23 11:12:28 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0062