Closed paulbadcock closed 1 year ago
Hi, thank you for creating the issue.
I see that this configuration is done on the side of rpm package that is contained in the container images. The expose_php
is also enabled by default in upstream, based on their documentation.
@remicollet, hi, do you think the container images could benefit from disabling the expose_php? AFAIK it should have no influence on the functionality of the image (except for the information in the header).
Hidding version is not a real security feature ;) (and BTW version doesn't really mean something with our security backports)
We also have Apache version displayed ;)
A lot of security scanners don't factor the back port fixes for example as as Remi (btw thanks for all your work on your repo's over time btw) mentioned.
So for our clients that have transitioned from from 7.x to 8.x images now there's a ton of questions of what fixes is back ported because scanners now see "x-powered-by" and flag it as unpatched. Yes security by obscurity is not recommended as protection but the introduction of this is causing more questions :)
As you mentioned tho there's a framework with Apache to disable this with the https-cfg folder and dropping a file like 10-server_signature.conf
ServerTokens ProductOnly
ServerSignature Off
Where this is now defaulting to on it would be nice to have a feature to disable via environment vs custom dockerfiles.
So for our clients that have transitioned from from 7.x to 8.x images now there's a ton of questions of what fixes is back ported because scanners now see "x-powered-by" and flag it as unpatched.
If a specific patch for a CVE has been backported to specific version of php can be found on access.redhat.com[1]. [1] https://access.redhat.com/security/security-updates/cve
We do not plan to provide this change in Red Hat Enterprise Linux container images because of reasons stated in comments above.
Please raise a ticket through the regular Red Hat support channels if this is important/critical for you.
For information on how to contact the Red Hat production support team, please visit: https://access.redhat.com/support
Container platform
OCP 4
Version
php-80 php-81
OS version of the container image
RHEL 9
Bugzilla, Jira
No response
Description
The 7.x line of containers didn't expose PHP version(s) via HTTP headers
Create an index.php
Use a dockerfile
Build the container and run
Verify php is actually running the code in the file
examine the headers
Now if you flip the build to php 8.1 by simply changing the From line in the Dockerfile to
You can now see the full php version is getting leaked because of the php.ini
Introducing in the Dockerfile a fix to remove this
Corrects the output
TL;DR the php version is now in server header's triggering security alerts.
Reproducer
No response