Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1970147

Summary: Weak Cipher in openshift-monitoring
Product: OpenShift Container Platform Reporter: Nowel Bliss <nbliss>
Component: MonitoringAssignee: Filip Petkovski <fpetkovs>
Status: CLOSED ERRATA QA Contact: Junqi Zhao <juzhao>
Severity: low Docs Contact:
Priority: unspecified    
Version: 4.8CC: anpicker, aos-bugs, erooth, spasquie
Target Milestone: ---   
Target Release: 4.9.0   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-18 17:33:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Results from sslscan
none
serviceMonitor/openshift-monitoring/kubelet/3
none
serviceMonitor/openshift-monitoring/etcd/0
none
serviceMonitor/openshift-monitoring/prometheus-adapter/0 none

Description Nowel Bliss 2021-06-09 22:08:30 UTC 
Created attachment 1789694 [details]
Results from sslscan

Created attachment 1789694 [details]
Results from sslscan

Description of problem:
This component is using weak ciphers when scanned.

Version-Release number of selected component (if applicable):
4.8.0-fc.7

How reproducible:
Utilized sslscan binary provided by https://github.com/rbsec/sslscan to scan endpoint. This is accomplished on one of the hosts with internal SDN access.

Steps to Reproduce:
1. oc debug node/node.name
2. chroot /host
3. toolbox
4. yum install git zlib-devel make gcc -y
5. git clone https://github.com/rbsec/sslscan
6. cd sslscan
7. make static
8. ./sslscan (All openshift-monitoring operator service endpoints)

Actual results:
Endpoints utilize weak ciphers

Expected results:
Only strong ciphers are presented for use

Additional info:
Please review the attached excel spreadsheet for the actual ciphers returned and their stong/weak status. Green is strong Yellow is weak.
Comment 4 Junqi Zhao 2021-06-10 10:51:47 UTC 
Created attachment 1789796 [details]
serviceMonitor/openshift-monitoring/kubelet/3
Comment 5 Junqi Zhao 2021-06-10 10:52:19 UTC 
Created attachment 1789797 [details]
serviceMonitor/openshift-monitoring/etcd/0
Comment 6 Junqi Zhao 2021-06-10 10:54:40 UTC 
for other openshift-monitoring endpoints, only serviceMonitor/openshift-monitoring/prometheus-adapter/0 has issue, see from picture
        "scrapePool": "serviceMonitor/openshift-monitoring/prometheus-adapter/0",
        "scrapeUrl": "https://10.131.0.11:6443/metrics",
        "health": "up"

        "scrapePool": "serviceMonitor/openshift-monitoring/prometheus-adapter/0",
        "scrapeUrl": "https://10.128.2.8:6443/metrics",
        "health": "up"
Comment 7 Junqi Zhao 2021-06-10 10:55:00 UTC 
Created attachment 1789798 [details]
serviceMonitor/openshift-monitoring/prometheus-adapter/0
Comment 8 Simon Pasquier 2021-06-10 13:46:49 UTC 
Thanks Junqi. prometheus-adapter falls under our responsibility but not kubelet and etcd.
Comment 11 Junqi Zhao 2021-06-23 05:46:49 UTC 
tested with 4.9.0-0.nightly-2021-06-22-193627, no issue with prometheus-adapter
Comment 20 errata-xmlrpc 2021-10-18 17:33:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:3759