Description of problem: The httpd container in the "metal3" pod in the "openshift-machine-api" namespace (used for serving bare metal ironic images) allows directory listings. A customer has identified this as a vulnerability requiring remediation. Version-Release number of selected component (if applicable): OpenShift 4.4.5 How reproducible: Steps to Reproduce: 1. Install a bare metal IPI cluster 2. Browse to the "httpd" container in the "metal3" pod, something like http://172.22.0.7:6180/images/ Actual results: A directory listing is served. Expected results: No directory listing is served. Additional info: $ OPENSHIFT_MACHINE_API_METAL3_POD="$(oc -n openshift-machine-api get pod -l api=clusterapi,k8s-app=controller -o name | grep metal3- | cut -d/ -f2)" $ echo $OPENSHIFT_MACHINE_API_METAL3_POD metal3-6674ffcfb-zt6sd $ oc -n openshift-machine-api get pod $OPENSHIFT_MACHINE_API_METAL3_POD -o json | jq -r '.spec.containers[] | select(.name=="metal3-baremetal-operator") | .env[] | select(.name=="DEPLOY_KERNEL_URL") | .value' | sed -r -e 's;/[^/]+$;;g' http://172.22.0.7:6180/images $ curl -s -L http://172.22.0.7:6180/images | head -n12 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html> <head> <title>Index of /images</title> </head> <body> <h1>Index of /images</h1> <table> <tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr> <tr><th colspan="5"><hr></th></tr> <tr><td valign="top"><img src="/icons/back.gif" alt="[PARENTDIR]"></td><td><a href="/">Parent Directory</a> </td><td> </td><td align="right"> - </td><td> </td></tr> <tr><td valign="top"><img src="/icons/unknown.gif" alt="[ ]"></td><td><a href="ipa-ramdisk-pkgs.info">ipa-ramdisk-pkgs.info</a> </td><td align="right">2020-05-18 09:02 </td><td align="right">276 </td><td> </td></tr> The above output has been truncated. These are the files appearing in the directory listing: $ oc -n openshift-machine-api exec -it $OPENSHIFT_MACHINE_API_METAL3_POD -c metal3-httpd -- /bin/bash -c "ls -1 /shared/html/images" ipa-ramdisk-pkgs.info ironic-python-agent.initramfs ironic-python-agent.kernel rhcos-4.4.3-x86_64-openstack.x86_64.qcow2 rhcos-ootpa-latest.qcow2 rhcos-ootpa-latest.qcow2.md5sum
PR submitted to the upstream ironic image, I'll submit it to openshift once its merged.
Created attachment 1711872 [details] output-res No directory listing is served
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4196
https://polarion.engineering.redhat.com/polarion/#/project/OSE/workitem?id=OCP-36371