CVE-2019-3876

Отчет

This issue affects the OAuth server shipped in OpenShift Container Platform version v3.0 through v3.11. Red Hat Product Security has rated this issue as having a security impact of Moderate. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Меры по смягчению последствий

Since at least v3.4, the OpenShift documentation [1] has specified the format for corsAllowedOrigins to accurately match intended hostnames. Since at least v3.7, installs will default to use the correct regular expression formatted variables. Earlier versions may be configured with plain strings, a configuration which will persist across cluster upgrades, opening them to cross origin vulnerabilities such as this. At a minimum, you should ensure that the corsAllowedOrigin definition within master-config.yaml contains elements in the form

and not the form

as the first will permit cross origin requests only if the host matches exactly, whereas the second will permit from any host that merely contains the string (such as ABCDdomain.com or even domain.comABCD.com). Footnotes: [1] https://docs.openshift.com/container-platform/3.4/architecture/infrastructure_components/web_console.html#corsAllowedOrigins