Description of problem: During a penetration tests we had a medium warning regarding the official OAuth proxy image. The version is displayed in the page footer This information can be useful for an attacker if an exploitable vulnerability exists for that version in order to compromise the server. Could you please fix it in the official image ? Version-Release number of selected component (if applicable): OCP 4.6 oauth proxy version(2.3.0) How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
The oauth-proxy version has been the same for the course of OpenShift 4.x lifetime, although there were a bunch of changes to the binary. We no longer use these versions so I'll see if we can just easily remove it.
I don't see a backport all the way to 4.6 as a very likely option. Given the fact that the displayed version really has no further meaning it would probably not pass as a prioritized enough fix to be ported all the way back, I'm afraid.
sprint review: @QA: please submit sprint review status
Verified with OCP 4.9.0-0.nightly-2021-09-22-171016 payload,steps as below, 1. logged in web-console of cluster with kubeadmin. 2. Navigate to Networking -> Routes, browse the web links of prometheus and alertmanager, checked the logging in page, the oauth-proxy was displayed without versions. Pasted the related screen-shots.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:3759