Bug 2001240 - Remove response headers for downloads of binaries from OpenShift WebConsole
Summary: Remove response headers for downloads of binaries from OpenShift WebConsole
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Management Console
Version: 4.6
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.10.0
Assignee: Jakub Hadvig
QA Contact: Yadan Pei
Depends On:
Blocks: 2002878
TreeView+ depends on / blocked
Reported: 2021-09-04 18:17 UTC by Radomir Ludva
Modified: 2022-03-10 16:07 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2022-03-10 16:07:08 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift console-operator pull 585 0 None None None 2021-09-06 14:28:47 UTC
Red Hat Product Errata RHSA-2022:0056 0 None None None 2022-03-10 16:07:24 UTC

Description Radomir Ludva 2021-09-04 18:17:56 UTC
Description of problem:
The GET method is showing in the headers of HTTP Python/SimpleHTTP module and Python version. This kind of technical information can be used by an attacker to better plan and target its attack. It is expected to remove this information. Additionally it is expected to use dedicated http server for production purpose.

Version-Release number of selected component:
- OCP v3.11.x

How reproducible:
$ curl -k -v https://downloads-openshift-console.apps.cluster.example.com/amd64/linux-v
* About to connect() to downloads-openshift-console.apps.cluster.example.com/ port 443 (#0)
*   Trying
* Connected to downloads-openshift-console.apps.cluster.example.com/ ( port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* 	subject: CN=*.apps.cluster.example.com
* 	start date: srp 29 02:51:11 2021 GMT
* 	expire date: srp 29 02:51:12 2023 GMT
* 	common name: *.apps.cluster.example.com/
* 	issuer: CN=ingress-operator@1630205020
> GET /amd64/linux-v HTTP/1.1
> User-Agent: curl/7.29.0
> Host: downloads-openshift-console.apps.cluster.example.com/> Accept: */*
* HTTP 1.0, assume close after body
< HTTP/1.0 404 File not found
< server: SimpleHTTP/0.6 Python/3.6.8
< date: Thu, 02 Sep 2021 11:15:24 GMT
< content-type: text/html;charset=utf-8
< content-length: 469
< set-cookie: a663438294fbd72a8e16964e97c8ecde=4bc0813e6e425460c0d603d0df029034; path=/; HttpOnly; Secure; SameSite=None
< cache-control: private
* HTTP/1.0 connection set to keep alive!
< connection: keep-alive

Actual results:
- In the header is information about used HTTP server and Python version: server: SimpleHTTP/0.6 Python/3.6.8

Expected results:
- It is expected to remove this information for security reason
- It is recommend to not use Python SimpleHTTP module which is not dedicated for production purpose

Comment 1 Jakub Hadvig 2021-09-06 09:50:29 UTC
Hi Radomir.
To clear the purpose of the SimpleHTTP Python server, we are using it only for serving 'oc' binaries so they can be downloaded for any user(they dont even have to be logged in to the OCP). They are also publicly available on github, that why we have been using it without any security issues. For that reason I dont think this is an issue.
With this justification could this issue be closed?

Comment 2 Radomir Ludva 2021-09-06 11:48:34 UTC
Hello, Jakub, Yes I understand. It is clear. But the customer wants to remove the information about the used technology which is displayed in the HTTP Header. 
Because of the warning from their security team to do not export this kind of information.

Comment 3 Jakub Hadvig 2021-09-06 14:17:16 UTC
Based on conversation with Radovan, changing the BZ's Version to 4.6 since thats the OCP version, which affected customer is currently on.

Comment 9 errata-xmlrpc 2022-03-10 16:07:08 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.