Bug 2002878 - Remove response headers for downloads of binaries from OpenShift WebConsole
Summary: Remove response headers for downloads of binaries from OpenShift WebConsole
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Management Console
Version: 4.6
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 4.9.0
Assignee: Jakub Hadvig
QA Contact: Yadan Pei
URL:
Whiteboard:
Depends On: 2001240
Blocks: 2018391
TreeView+ depends on / blocked
 
Reported: 2021-09-09 22:07 UTC by OpenShift BugZilla Robot
Modified: 2021-11-10 21:01 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-11-10 21:01:31 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift console-operator pull 587 0 None None None 2021-09-09 22:07:18 UTC
Red Hat Product Errata RHBA-2021:4119 0 None None None 2021-11-10 21:01:46 UTC

Description OpenShift BugZilla Robot 2021-09-09 22:07:05 UTC
+++ This bug was initially created as a clone of Bug #2001240 +++

Description of problem:
-----------------------
The GET method is showing in the headers of HTTP Python/SimpleHTTP module and Python version. This kind of technical information can be used by an attacker to better plan and target its attack. It is expected to remove this information. Additionally it is expected to use dedicated http server for production purpose.


Version-Release number of selected component:
---------------------------------------------
- OCP v3.11.x


How reproducible:
-----------------
```
$ curl -k -v https://downloads-openshift-console.apps.cluster.example.com/amd64/linux-v
* About to connect() to downloads-openshift-console.apps.cluster.example.com/ port 443 (#0)
*   Trying 10.0.90.215...
* Connected to downloads-openshift-console.apps.cluster.example.com/ (10.0.90.215) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* 	subject: CN=*.apps.cluster.example.com
* 	start date: srp 29 02:51:11 2021 GMT
* 	expire date: srp 29 02:51:12 2023 GMT
* 	common name: *.apps.cluster.example.com/
* 	issuer: CN=ingress-operator@1630205020
> GET /amd64/linux-v HTTP/1.1
> User-Agent: curl/7.29.0
> Host: downloads-openshift-console.apps.cluster.example.com/> Accept: */*
> 
* HTTP 1.0, assume close after body
< HTTP/1.0 404 File not found
< server: SimpleHTTP/0.6 Python/3.6.8
< date: Thu, 02 Sep 2021 11:15:24 GMT
< content-type: text/html;charset=utf-8
< content-length: 469
< set-cookie: a663438294fbd72a8e16964e97c8ecde=4bc0813e6e425460c0d603d0df029034; path=/; HttpOnly; Secure; SameSite=None
< cache-control: private
* HTTP/1.0 connection set to keep alive!
< connection: keep-alive
< 
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
        "http://www.w3.org/TR/html4/strict.dtd">
<html>
    <head>
```

Actual results:
---------------
- In the header is information about used HTTP server and Python version: server: SimpleHTTP/0.6 Python/3.6.8

Expected results:
-----------------
- It is expected to remove this information for security reason
- It is recommend to not use Python SimpleHTTP module which is not dedicated for production purpose

--- Additional comment from jhadvig on 2021-09-06 09:50:29 UTC ---

Hi Radomir.
To clear the purpose of the SimpleHTTP Python server, we are using it only for serving 'oc' binaries so they can be downloaded for any user(they dont even have to be logged in to the OCP). They are also publicly available on github, that why we have been using it without any security issues. For that reason I dont think this is an issue.
With this justification could this issue be closed?

--- Additional comment from rludva on 2021-09-06 11:48:34 UTC ---

Hello, Jakub, Yes I understand. It is clear. But the customer wants to remove the information about the used technology which is displayed in the HTTP Header. 
Because of the warning from their security team to do not export this kind of information.

--- Additional comment from jhadvig on 2021-09-06 14:17:16 UTC ---

Based on conversation with Radovan, changing the BZ's Version to 4.6 since thats the OCP version, which affected customer is currently on.

Comment 3 Yadan Pei 2021-11-01 07:18:49 UTC
PR has been verified before merging, moving to VERIFIED

Comment 6 errata-xmlrpc 2021-11-10 21:01:31 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.9.6 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4119


Note You need to log in before you can comment on or make changes to this bug.