CVE-2016-3711

Vulnerability

HAProxy in Red Hat OpenShift Enterprise 3.2 and OpenShift Origin exposes the internal IP address of a pod through the OPENSHIFT_[namespace]_SERVERID cookie. This occurs because the cookie value is set to the raw pod IP, rather than an obfuscated value. The vulnerability is present in the default configuration of the HAProxy router.

Exploitation

A local user with access to HTTP responses from the HAProxy router can read the OPENSHIFT_[namespace]_SERVERID cookie. The attacker does not need authentication or special privileges; merely observing the cookie value reveals the internal IP address of the backend pod handling the request.

Impact

An attacker can map the internal network topology of the OpenShift cluster by collecting cookie values over time. This exposes pod IP addresses, which are typically considered internal and not intended for disclosure. The impact is limited to information disclosure, but it can aid in further attacks against the cluster.

Mitigation

The vulnerability is fixed in pull request #8334 [1], which modifies HAProxy to return a hash of the internal IP address and service name instead of the raw IP. Users should update to a version of OpenShift that includes this fix (e.g., OpenShift Origin after the merge of PR #8334). No known EOL or KEV listing exists.