Do not reveal information on error pages and when not authenticated

[klaus-halfmann]

As of some security assessment we found that the console will reveal a lot of information even when showing an error page or even when use is not authenticated. E.g. I found:

This can be used to determine exact versions and other attack vectors, which should be avoided.

Expected:

• When console is called without authentication no such information is revealed.
• In case of Error pages (404, 502 ...) No interval information is shown.
• In case of normal operattion only the need information is revealed ** which part of the portal needs the GOARCH or GOOS information?

Its OK to switch on/off this feature we a flag, so developer builds will not be affected.

In case I am wrong here please direct me to the correct place ...

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[spadgett]

Hi, sorry for the delay in responding. https://github.com/openshift/console is probably the repo you meant.

Version information is available outside of the console using the API server version endpoint. We've previously had a Bugzilla on this (https://bugzilla.redhat.com/show_bug.cgi?id=1437573), but we have opted not to change this for the following reasons:

• Upstream Kubernetes' stance is that the version is public information, and we don't want to drift from upstream
• There is a small set of known attack vectors today – they could just try them all.... It would only (minimally) slow attacks down to not know the version information
• Security through obscurity is not a long-term security solution

[klaus-halfmann]

OK, I will tell our Security People ....