Description of problem: The default 503 error page includes the Bootstrap license which has been flagged as a vulnerability as part of our pen test which we need to remediate before our service can launch. The bootstrap license in question is visible at https://github.com/openshift/router/blob/master/images/router/haproxy/conf/error-page-503.http#L12-L17 Updating the license version to reflect only the inclusion of normalize.css rather than the whole bootstrap would resolve our issue. The ability to be able to override the 503 error page with a config map with instructions could also help resolve the issue. Version-Release number of selected component (if applicable): How reproducible: Do something which results in a 503 error page being shown to the user Steps to Reproduce: 1. Incorrectly configure the ingress gateway to an openshift cluster. 2. Visit a page on the server 3. View the license in the html Actual results: The following license is included in the html /*! * Bootstrap v3.3.5 (http://getbootstrap.com) * Copyright 2011-2015 Twitter, Inc. * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE) */ /*! normalize.css v3.0.3 | MIT License | github.com/necolas/normalize.css */ Expected results: Either the Bootstrap portion of the license is removed, the license is updated, or normalize.css is upgraded Additional info:
Github issue xref https://github.com/openshift/router/issues/296
verified in 4.9.0-0.nightly-2021-06-16-061553 $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.9.0-0.nightly-2021-06-16-061553 True False 3m27s Cluster version is 4.9.0-0.nightly-2021-06-16-061553 # curl a non existing route, verified that Bootstrap portion of the license is removed $ curl null.apps.ci-ln-ih3x1r2-f76d1.origin-ci-int-gce.dev.openshift.com <html> <head> <meta name="viewport" content="width=device-width, initial-scale=1"> <style type="text/css"> body { font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; line-height: 1.66666667; font-size: 16px; color: #333; background-color: #fff; margin: 2em 1em; } h1 { font-size: 28px; font-weight: 400; } p { margin: 0 0 10px; } .alert.alert-info { background-color: #F0F0F0; margin-top: 30px; padding: 30px; } .alert p { padding-left: 35px; } ul { padding-left: 51px; position: relative; } li { font-size: 14px; margin-bottom: 1em; } p.info { position: relative; font-size: 20px; } p.info:before, p.info:after { content: ""; left: 0; position: absolute; top: 0; } p.info:before { background: #0066CC; border-radius: 16px; color: #fff; content: "i"; font: bold 16px/24px serif; height: 24px; left: 0px; text-align: center; top: 4px; width: 24px; } @media (min-width: 768px) { body { margin: 6em; } } </style> </head> <body> <div> <h1>Application is not available</h1> <p>The application is currently not serving requests at this endpoint. It may not have been started or is still starting.</p> <div class="alert alert-info"> <p class="info"> Possible reasons you are seeing this page: </p> <ul> <li> <strong>The host doesn't exist.</strong> Make sure the hostname was typed correctly and that a route matching this hostname exists. </li> <li> <strong>The host exists, but doesn't have a matching path.</strong> Check if the URL path was typed correctly and that the route was created using the desired path. </li> <li> <strong>Route and path matches, but all pods are down.</strong> Make sure that the resources exposed by this route (pods, services, deployment configs, etc) have at least one pod running. </li> </ul> </div> </div> </body> </html>
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:3759