Description of problem:
The GET method is showing in the headers of HTTP Python/SimpleHTTP module and Python version. This kind of technical information can be used by an attacker to better plan and target its attack. It is expected to remove this information. Additionally it is expected to use dedicated http server for production purpose.
Version-Release number of selected component:
- OCP v3.11.x
$ curl -k -v https://downloads-openshift-console.apps.cluster.example.com/amd64/linux-v
* About to connect() to downloads-openshift-console.apps.cluster.example.com/ port 443 (#0)
* Trying 10.0.90.215...
* Connected to downloads-openshift-console.apps.cluster.example.com/ (10.0.90.215) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject: CN=*.apps.cluster.example.com
* start date: srp 29 02:51:11 2021 GMT
* expire date: srp 29 02:51:12 2023 GMT
* common name: *.apps.cluster.example.com/
* issuer: CN=ingress-operator@1630205020
> GET /amd64/linux-v HTTP/1.1
> User-Agent: curl/7.29.0
> Host: downloads-openshift-console.apps.cluster.example.com/> Accept: */*
* HTTP 1.0, assume close after body
< HTTP/1.0 404 File not found
< server: SimpleHTTP/0.6 Python/3.6.8
< date: Thu, 02 Sep 2021 11:15:24 GMT
< content-type: text/html;charset=utf-8
< content-length: 469
< set-cookie: a663438294fbd72a8e16964e97c8ecde=4bc0813e6e425460c0d603d0df029034; path=/; HttpOnly; Secure; SameSite=None
< cache-control: private
* HTTP/1.0 connection set to keep alive!
< connection: keep-alive
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
- In the header is information about used HTTP server and Python version: server: SimpleHTTP/0.6 Python/3.6.8
- It is expected to remove this information for security reason
- It is recommend to not use Python SimpleHTTP module which is not dedicated for production purpose
To clear the purpose of the SimpleHTTP Python server, we are using it only for serving 'oc' binaries so they can be downloaded for any user(they dont even have to be logged in to the OCP). They are also publicly available on github, that why we have been using it without any security issues. For that reason I dont think this is an issue.
With this justification could this issue be closed?
Hello, Jakub, Yes I understand. It is clear. But the customer wants to remove the information about the used technology which is displayed in the HTTP Header.
Because of the warning from their security team to do not export this kind of information.
Based on conversation with Radovan, changing the BZ's Version to 4.6 since thats the OCP version, which affected customer is currently on.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.