A flaw was found in atomic-openshift. CSRF tokens are not refreshing while a user is logged in, and they are exposed in the URL. This may allow attackers to perform CSRF attacks successfully.
OpenShift Container Platform versions prior to 3.11 do not contain the affected "cluster console" component and are not vulnerable to this flaw.
Name: Jeremy Choi (Red Hat)
From OWASP docs: https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.md
firstly, the docs indicate that a CSRF per session is adequate in general
- "Any state changing operation requires a secure random token (e.g., CSRF token) to prevent CSRF attacks. A CSRF token should be unique per user session"
secondly, it's noted that a CSRF per request offers additional security:
- "To further enhance the security of this proposed design, consider randomizing the CSRF token parameter name and/or value for each request."
To restate the original concern, the issue is not that CSRF tokens do not change; it is that they are exposed in the URL. Rotating the tokens would be a mitigation for the concern given that websockets requests cannot have them embedded in a custom header.
I have updated the affected component to the more specific "openshift-enterprise-console-container" for the three affected releases.
This issue has been addressed in the following products:
Red Hat OpenShift Container Platform 4.1
Via RHSA-2019:2792 https://access.redhat.com/errata/RHSA-2019:2792