Bug 1967228 - 503 Error page contains license for a vulnerable release of Bootstrap
Summary: 503 Error page contains license for a vulnerable release of Bootstrap
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.6.z
Hardware: All
OS: All
medium
high
Target Milestone: ---
: 4.9.0
Assignee: Andrey Lebedev
QA Contact: jechen
URL:
Whiteboard:
Depends On:
Blocks: 1971730
TreeView+ depends on / blocked
 
Reported: 2021-06-02 16:17 UTC by Chris W - IBM
Modified: 2022-11-23 03:14 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1971730 (view as bug list)
Environment:
Last Closed: 2021-10-18 17:32:38 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift router pull 300 0 None closed Bug 1967228: error pages - don't use bootstrap/normalize 2021-07-05 20:57:21 UTC
Red Hat Product Errata RHSA-2021:3759 0 None None None 2021-10-18 17:33:02 UTC

Description Chris W - IBM 2021-06-02 16:17:22 UTC
Description of problem:

The default 503 error page includes the Bootstrap license which has been flagged as a vulnerability as part of our pen test which we need to remediate before our service can launch.

The bootstrap license in question is visible at https://github.com/openshift/router/blob/master/images/router/haproxy/conf/error-page-503.http#L12-L17

Updating the license version to reflect only the inclusion of normalize.css rather than the whole bootstrap would resolve our issue.

The ability to be able to override the 503 error page with a config map with instructions could also help resolve the issue.


Version-Release number of selected component (if applicable):


How reproducible:

Do something which results in a 503 error page being shown to the user

Steps to Reproduce:
1. Incorrectly configure the ingress gateway to an openshift cluster.
2.  Visit a page on the server
3. View the license in the html

Actual results:
The following license is included in the html
  /*!
   * Bootstrap v3.3.5 (http://getbootstrap.com)
   * Copyright 2011-2015 Twitter, Inc.
   * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE)
   */
  /*! normalize.css v3.0.3 | MIT License | github.com/necolas/normalize.css */


Expected results:
Either the Bootstrap portion of the license is removed, the license is updated, or  normalize.css is upgraded


Additional info:

Comment 2 Stephen Greene 2021-06-07 19:00:49 UTC
Github issue xref https://github.com/openshift/router/issues/296

Comment 4 jechen 2021-06-16 13:41:10 UTC
verified in 4.9.0-0.nightly-2021-06-16-061553

$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.9.0-0.nightly-2021-06-16-061553   True        False         3m27s   Cluster version is 4.9.0-0.nightly-2021-06-16-061553


# curl a non existing route, verified that Bootstrap portion of the license is removed
$ curl null.apps.ci-ln-ih3x1r2-f76d1.origin-ci-int-gce.dev.openshift.com
<html>
  <head>
    <meta name="viewport" content="width=device-width, initial-scale=1">

    <style type="text/css">
      body {
        font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;
        line-height: 1.66666667;
        font-size: 16px;
        color: #333;
        background-color: #fff;
        margin: 2em 1em;
      }
      h1 {
        font-size: 28px;
        font-weight: 400;
      }
      p {
        margin: 0 0 10px;
      }
      .alert.alert-info {
        background-color: #F0F0F0;
        margin-top: 30px;
        padding: 30px;
      }
      .alert p {
        padding-left: 35px;
      }
      ul {
        padding-left: 51px;
        position: relative;
      }
      li {
        font-size: 14px;
        margin-bottom: 1em;
      }
      p.info {
        position: relative;
        font-size: 20px;
      }
      p.info:before, p.info:after {
        content: "";
        left: 0;
        position: absolute;
        top: 0;
      }
      p.info:before {
        background: #0066CC;
        border-radius: 16px;
        color: #fff;
        content: "i";
        font: bold 16px/24px serif;
        height: 24px;
        left: 0px;
        text-align: center;
        top: 4px;
        width: 24px;
      }

      @media (min-width: 768px) {
        body {
          margin: 6em;
        }
      }
    </style>
  </head>
  <body>
    <div>
      <h1>Application is not available</h1>
      <p>The application is currently not serving requests at this endpoint. It may not have been started or is still starting.</p>

      <div class="alert alert-info">
        <p class="info">
          Possible reasons you are seeing this page:
        </p>
        <ul>
          <li>
            <strong>The host doesn't exist.</strong>
            Make sure the hostname was typed correctly and that a route matching this hostname exists.
          </li>
          <li>
            <strong>The host exists, but doesn't have a matching path.</strong>
            Check if the URL path was typed correctly and that the route was created using the desired path.
          </li>
          <li>
            <strong>Route and path matches, but all pods are down.</strong>
            Make sure that the resources exposed by this route (pods, services, deployment configs, etc) have at least one pod running.
          </li>
        </ul>
      </div>
    </div>
  </body>
</html>

Comment 8 errata-xmlrpc 2021-10-18 17:32:38 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:3759


Note You need to log in before you can comment on or make changes to this bug.