A flaw was found in atomic-openshift. CSRF tokens are not refreshing while a user is logged in, and they are exposed in the URL. This may allow attackers to perform CSRF attacks successfully.
Statement: OpenShift Container Platform versions prior to 3.11 do not contain the affected "cluster console" component and are not vulnerable to this flaw.
Acknowledgments: Name: Jeremy Choi (Red Hat)
From OWASP docs: https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.md firstly, the docs indicate that a CSRF per session is adequate in general - "Any state changing operation requires a secure random token (e.g., CSRF token) to prevent CSRF attacks. A CSRF token should be unique per user session" secondly, it's noted that a CSRF per request offers additional security: - "To further enhance the security of this proposed design, consider randomizing the CSRF token parameter name and/or value for each request." To restate the original concern, the issue is not that CSRF tokens do not change; it is that they are exposed in the URL. Rotating the tokens would be a mitigation for the concern given that websockets requests cannot have them embedded in a custom header.
I have updated the affected component to the more specific "openshift-enterprise-console-container" for the three affected releases.
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.1 Via RHSA-2019:2792 https://access.redhat.com/errata/RHSA-2019:2792
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.11 Via RHSA-2019:4053 https://access.redhat.com/errata/RHSA-2019:4053