Bug 1859334 - OpenShift 4.4.5: Directory listings allowed in metal3 httpd containers
Summary: OpenShift 4.4.5: Directory listings allowed in metal3 httpd containers
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Bare Metal Hardware Provisioning
Version: 4.4
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: ---
: 4.6.0
Assignee: Derek Higgins
QA Contact: Polina Rabinovich
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-07-21 17:59 UTC by jteagno
Modified: 2020-12-02 12:09 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
config for the httpd service serving provisioning images has been tightened.
Clone Of:
Environment:
Last Closed: 2020-10-27 16:16:41 UTC
Target Upstream Version:


Attachments (Terms of Use)
output-res (97.05 KB, image/png)
2020-08-19 13:09 UTC, Polina Rabinovich
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Github metal3-io ironic-image pull 184 0 None closed Remove all unused modules 2020-12-17 13:31:27 UTC
Github openshift ironic-image pull 99 0 None closed bug 1859334: Remove all unused modules 2020-12-17 13:31:28 UTC
Red Hat Product Errata RHBA-2020:4196 0 None None None 2020-10-27 16:17:00 UTC

Description jteagno 2020-07-21 17:59:52 UTC
Description of problem:

The httpd container in the "metal3" pod in the "openshift-machine-api" namespace (used for serving bare metal ironic images) allows directory listings.

A customer has identified this as a vulnerability requiring remediation.


Version-Release number of selected component (if applicable): OpenShift 4.4.5


How reproducible:


Steps to Reproduce:
1. Install a bare metal IPI cluster
2. Browse to the "httpd" container in the "metal3" pod, something like http://172.22.0.7:6180/images/

Actual results:

A directory listing is served.


Expected results:

No directory listing is served.


Additional info:

$ OPENSHIFT_MACHINE_API_METAL3_POD="$(oc -n openshift-machine-api get pod -l api=clusterapi,k8s-app=controller -o name | grep metal3- | cut -d/ -f2)"

$ echo $OPENSHIFT_MACHINE_API_METAL3_POD
metal3-6674ffcfb-zt6sd

$ oc -n openshift-machine-api get pod $OPENSHIFT_MACHINE_API_METAL3_POD -o json | jq -r '.spec.containers[] | select(.name=="metal3-baremetal-operator") | .env[] | select(.name=="DEPLOY_KERNEL_URL") | .value' | sed -r -e 's;/[^/]+$;;g'
http://172.22.0.7:6180/images

$ curl -s -L http://172.22.0.7:6180/images | head -n12
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>
  <title>Index of /images</title>
 </head>
 <body>
<h1>Index of /images</h1>
  <table>
   <tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr>
   <tr><th colspan="5"><hr></th></tr>
<tr><td valign="top"><img src="/icons/back.gif" alt="[PARENTDIR]"></td><td><a href="/">Parent Directory</a>       </td><td> </td><td align="right">  - </td><td> </td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[   ]"></td><td><a href="ipa-ramdisk-pkgs.info">ipa-ramdisk-pkgs.info</a>  </td><td align="right">2020-05-18 09:02  </td><td align="right">276 </td><td> </td></tr>

The above output has been truncated.  These are the files appearing in the directory listing:

$ oc -n openshift-machine-api exec -it $OPENSHIFT_MACHINE_API_METAL3_POD -c metal3-httpd -- /bin/bash -c "ls -1 /shared/html/images"
ipa-ramdisk-pkgs.info
ironic-python-agent.initramfs
ironic-python-agent.kernel
rhcos-4.4.3-x86_64-openstack.x86_64.qcow2
rhcos-ootpa-latest.qcow2
rhcos-ootpa-latest.qcow2.md5sum

Comment 1 Derek Higgins 2020-07-30 11:45:57 UTC
PR submitted to the upstream ironic image, I'll submit it to openshift once its merged.

Comment 4 Polina Rabinovich 2020-08-19 13:09:18 UTC
Created attachment 1711872 [details]
output-res

No directory listing is served

Comment 6 errata-xmlrpc 2020-10-27 16:16:41 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196


Note You need to log in before you can comment on or make changes to this bug.