Bug 1980235 - OAuth proxy version is displayed should be removed.
Summary: OAuth proxy version is displayed should be removed.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: oauth-proxy
Version: 4.6
Hardware: All
OS: Other
medium
low
Target Milestone: ---
: 4.9.0
Assignee: Standa Laznicka
QA Contact: Ke Wang
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-07-08 07:37 UTC by Nitish Kaushik
Modified: 2021-10-18 17:38 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-10-18 17:38:24 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift oauth-proxy pull 218 0 None open Bug 1980235: deprecate version 2021-07-08 08:06:41 UTC
Red Hat Product Errata RHSA-2021:3759 0 None None None 2021-10-18 17:38:42 UTC

Description Nitish Kaushik 2021-07-08 07:37:39 UTC
Description of problem:

During a penetration tests we had a medium warning regarding the official OAuth proxy image.
The version is displayed in the page footer 
This information can be useful for an attacker if an exploitable vulnerability exists for that version in order to compromise the server.

Could you please fix it in the official image ?


Version-Release number of selected component (if applicable): OCP 4.6

oauth proxy version(2.3.0) 

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 2 Standa Laznicka 2021-07-08 07:41:09 UTC
The oauth-proxy version has been the same for the course of OpenShift 4.x lifetime, although there were a bunch of changes to the binary. We no longer use these versions so I'll see if we can just easily remove it.

Comment 5 Standa Laznicka 2021-07-09 12:44:25 UTC
I don't see a backport all the way to 4.6 as a very likely option. Given the fact that the displayed version really has no further meaning it would probably not pass as a prioritized enough fix to be ported all the way back, I'm afraid.

Comment 8 Sergiusz Urbaniak 2021-08-17 09:23:51 UTC
sprint review: @QA: please submit sprint review status

Comment 11 Ke Wang 2021-09-23 06:26:49 UTC
Verified with OCP 4.9.0-0.nightly-2021-09-22-171016 payload,steps as below,
1. logged in web-console of cluster with kubeadmin.
2. Navigate to Networking -> Routes, browse the web links of prometheus and alertmanager, checked the logging in page, the oauth-proxy was displayed without versions.
Pasted the related screen-shots.

Comment 15 errata-xmlrpc 2021-10-18 17:38:24 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:3759


Note You need to log in before you can comment on or make changes to this bug.