Bug 1970147 - Weak Cipher in openshift-monitoring
Summary: Weak Cipher in openshift-monitoring
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Monitoring
Version: 4.8
Hardware: x86_64
OS: Linux
Target Milestone: ---
: 4.9.0
Assignee: Filip Petkovski
QA Contact: Junqi Zhao
Depends On:
TreeView+ depends on / blocked
Reported: 2021-06-09 22:08 UTC by Nowel Bliss
Modified: 2022-05-31 15:28 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Last Closed: 2021-10-18 17:33:33 UTC
Target Upstream Version:

Attachments (Terms of Use)
Results from sslscan (12.97 KB, application/zip)
2021-06-09 22:08 UTC, Nowel Bliss
no flags Details
serviceMonitor/openshift-monitoring/kubelet/3 (65.31 KB, image/png)
2021-06-10 10:51 UTC, Junqi Zhao
no flags Details
serviceMonitor/openshift-monitoring/etcd/0 (89.73 KB, image/png)
2021-06-10 10:52 UTC, Junqi Zhao
no flags Details
serviceMonitor/openshift-monitoring/prometheus-adapter/0 (156.52 KB, image/png)
2021-06-10 10:55 UTC, Junqi Zhao
no flags Details

System ID Private Priority Status Summary Last Updated
Github openshift cluster-monitoring-operator pull 1234 0 None open Bug 1970147: jsonnet: disable insecure cypher suites for prometheus-adapter 2021-06-22 09:23:49 UTC
Red Hat Product Errata RHSA-2021:3759 0 None None None 2021-10-18 17:34:03 UTC

Description Nowel Bliss 2021-06-09 22:08:30 UTC
Created attachment 1789694 [details]
Results from sslscan

Created attachment 1789694 [details]
Results from sslscan

Description of problem:
This component is using weak ciphers when scanned.

Version-Release number of selected component (if applicable):

How reproducible:
Utilized sslscan binary provided by https://github.com/rbsec/sslscan to scan endpoint. This is accomplished on one of the hosts with internal SDN access.

Steps to Reproduce:
1. oc debug node/node.name
2. chroot /host
3. toolbox
4. yum install git zlib-devel make gcc -y
5. git clone https://github.com/rbsec/sslscan
6. cd sslscan
7. make static
8. ./sslscan (All openshift-monitoring operator service endpoints)

Actual results:
Endpoints utilize weak ciphers

Expected results:
Only strong ciphers are presented for use

Additional info:
Please review the attached excel spreadsheet for the actual ciphers returned and their stong/weak status. Green is strong Yellow is weak.

Comment 4 Junqi Zhao 2021-06-10 10:51:47 UTC
Created attachment 1789796 [details]

Comment 5 Junqi Zhao 2021-06-10 10:52:19 UTC
Created attachment 1789797 [details]

Comment 6 Junqi Zhao 2021-06-10 10:54:40 UTC
for other openshift-monitoring endpoints, only serviceMonitor/openshift-monitoring/prometheus-adapter/0 has issue, see from picture
        "scrapePool": "serviceMonitor/openshift-monitoring/prometheus-adapter/0",
        "scrapeUrl": "",
        "health": "up"

        "scrapePool": "serviceMonitor/openshift-monitoring/prometheus-adapter/0",
        "scrapeUrl": "",
        "health": "up"

Comment 7 Junqi Zhao 2021-06-10 10:55:00 UTC
Created attachment 1789798 [details]

Comment 8 Simon Pasquier 2021-06-10 13:46:49 UTC
Thanks Junqi. prometheus-adapter falls under our responsibility but not kubelet and etcd.

Comment 11 Junqi Zhao 2021-06-23 05:46:49 UTC
tested with 4.9.0-0.nightly-2021-06-22-193627, no issue with prometheus-adapter

Comment 20 errata-xmlrpc 2021-10-18 17:33:33 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.