Bug 1993002 - The "largestMaxAge" and "smallestMaxAge" in "maxAge" option for HSTS headers accepts negative values
Summary: The "largestMaxAge" and "smallestMaxAge" in "maxAge" option for HSTS headers ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.9
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: ---
: 4.9.0
Assignee: Candace Holman
QA Contact: Arvind iyengar
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-08-12 08:48 UTC by Arvind iyengar
Modified: 2022-08-04 22:35 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-10-18 17:46:09 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift api pull 988 0 None None None 2021-08-13 02:45:14 UTC
Github openshift api pull 990 0 None None None 2021-08-17 03:06:49 UTC
Github openshift cluster-config-operator pull 214 0 None None None 2021-08-17 03:11:40 UTC
Red Hat Product Errata RHSA-2021:3759 0 None None None 2021-10-18 17:46:23 UTC

Description Arvind iyengar 2021-08-12 08:48:32 UTC
Description of problem:
The "largestMaxAge" and "smallestMaxAge" in "maxAge" option for HSTS headers accept negative values and these values appear to be used for evaluation during header validation. 

OpenShift release version:
4.9.0-0.nightly-2021-08-07-175228

How reproducible:
Frequently

Steps to Reproduce (in detail):
1. Configure the cluster ingresses resource with hsts validation option and define the negative values for the said parameters for the "maxAge" header check:
-----
  domain: apps.aiyengar4911.qe.devcluster.openshift.com
  requiredHSTSPolicies:
  - domainPatterns:
    - '*.internalapps.aiyengar4911.qe.devcluster.openshift.com'
    includeSubDomainsPolicy: RequireIncludeSubDomains
    maxAge:
      largestMaxAge: -100
      smallestMaxAge: -100
    preloadPolicy: RequirePreload

-----

2. Try changing the hsts header aging value for a route:



Actual results:

Before changing the aging:
curl -Ik https://service-unsecure-test1.internalapps.aiyengar4911.qe.devcluster.openshift.com       
HTTP/1.1 200 OK
server: nginx/1.18.0
date: Thu, 12 Aug 2021 08:04:24 GMT
content-type: text/html
content-length: 46
last-modified: Wed, 11 Aug 2021 11:19:04 GMT
etag: "6113b228-2e"
accept-ranges: bytes
strict-transport-security: max-age=200;includeSubDomains;preload
set-cookie: 6b61b6eae6a7fcb9c100e4c96e0d6f2e=32f7b665c295eaefff4cb940a9fbe602; path=/; HttpOnly; Secure; SameSite=None
cache-control: private

Trying to change the value ends with below error:

oc annotate route edge-route2 haproxy.router.openshift.io/hsts_header='max-age=300;includeSubDomains;preload' --overwrite
Error from server (Forbidden): routes.route.openshift.io "edge-route2" is forbidden: is greater than maximum age (-100)


Expected results:
As the feature proposal states, the minimum value for these parameters is "0", I believe the negative value should be discarded 


Impact of the problem:
Though the user/admins may not input negative values for this option deliberately, there is a chance of human error where they may get applied accidentally which can cause further issues with the header validation process of the routes

Comment 5 Arvind iyengar 2021-08-24 04:19:06 UTC
Verified in "4.9.0-0.nightly-2021-08-23-192406" release version. With this payload, it is observed that the negative values for the "maxage" options are properly being rejected when the attempts are made:
------
oc get clusterversion                          
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.9.0-0.nightly-2021-08-23-192406   True        False         41m     Cluster version is 4.9.0-0.nightly-2021-08-23-192406


Attempt to set the timer options to negative results in an error:
  requiredHSTSPolicies:
  - domainPatterns:
    - '*.internalapps.aiyengar49bz.qe.devcluster.openshift.com'
    includeSubDomainsPolicy: NoOpinion
    maxAge:
      largestMaxAge: -30000
      smallestMaxAge: -1
    preloadPolicy: NoOpinion

# ingresses.config.openshift.io "cluster" was not valid:
# * spec.requiredHSTSPolicies.maxAge.largestMaxAge: Invalid value: -30000: spec.requiredHSTSPolicies.maxAge.largestMaxAge in body should be greater than or equal to 0
# * spec.requiredHSTSPolicies.maxAge.smallestMaxAge: Invalid value: -1: spec.requiredHSTSPolicies.maxAge.smallestMaxAge in body should be greater than or equal to 0
#
------

Comment 8 errata-xmlrpc 2021-10-18 17:46:09 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:3759


Note You need to log in before you can comment on or make changes to this bug.