Skip to content

[release-4.13] OCPBUGS-86710: Strip X-SSL-* headers for plain HTTP#808

Open
MrSanketkumar wants to merge 1 commit into
openshift:release-4.13from
MrSanketkumar:CVE-2026-46579-4.13
Open

[release-4.13] OCPBUGS-86710: Strip X-SSL-* headers for plain HTTP#808
MrSanketkumar wants to merge 1 commit into
openshift:release-4.13from
MrSanketkumar:CVE-2026-46579-4.13

Conversation

@MrSanketkumar

@MrSanketkumar MrSanketkumar commented Jun 29, 2026

Copy link
Copy Markdown

Vulnerability: CVE-2026-46579 - mTLS client certificate spoofing via HTTP header injection

Fix: Prevents unauthenticated spoofing of mutual TLS client identities by stripping X-SSL-Client-* headers from HTTP requests before they reach backends.

Changes:

  • Adds `ROUTER_MUTUAL_TLS_HEADER_FILTER` environment variable (default: `true`)
  • Strips all 12 X-SSL headers in HTTP frontends: `public`, `fe_sni`, `fe_no_sni`
  • Secure by default - header stripping enabled unless explicitly disabled

Backport of : #807

Summary by CodeRabbit

  • Bug Fixes
    • Improved security by removing client certificate identity headers from requests when mutual TLS is not in use.
    • Applied this protection across plain HTTP and TLS-based routes to reduce the risk of header spoofing.

@openshift-ci-robot openshift-ci-robot added jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Jun 29, 2026
@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@MrSanketkumar: This pull request references Jira Issue OCPBUGS-86710, which is invalid:

  • expected dependent Jira Issue OCPBUGS-86711 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is ASSIGNED instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Vulnerability: CVE-2026-46579 - mTLS client certificate spoofing via HTTP header injection

Fix: Prevents unauthenticated spoofing of mutual TLS client identities by stripping X-SSL-Client-* headers from HTTP requests before they reach backends.

Changes:

  • Adds `ROUTER_MUTUAL_TLS_HEADER_FILTER` environment variable (default: `true`)
  • Strips all 12 X-SSL headers in HTTP frontends: `public`, `fe_sni`, `fe_no_sni`
  • Secure by default - header stripping enabled unless explicitly disabled

Backport of : #807

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai

coderabbitai Bot commented Jun 29, 2026

Copy link
Copy Markdown

Walkthrough

The HAProxy config template adds http-request del-header rules for X-SSL and related X-SSL-Client-*/X-SSL-Issuer headers in the plain HTTP, TLS SNI, and TLS non-SNI frontends. Each block is guarded by ROUTER_MUTUAL_TLS_HEADER_FILTER (defaulting to true).

Changes

mTLS Header Stripping

Layer / File(s) Summary
X-SSL header deletion across all three frontends
images/router/haproxy/conf/haproxy-config.template
Adds identical ROUTER_MUTUAL_TLS_HEADER_FILTER-guarded http-request del-header blocks to the plain HTTP (line 228), TLS SNI (line 341), and TLS non-SNI (line 453) frontends, stripping X-SSL and all X-SSL-Client-*/X-SSL-Issuer headers.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main change: stripping X-SSL-* headers from plain HTTP requests.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed PR only changes the HAProxy template; no Ginkgo specs or *_test.go files were added or modified, so no unstable test titles are present.
Test Structure And Quality ✅ Passed PR only changes the HAProxy config template; no Ginkgo test code or cluster tests were added, so this checklist doesn’t apply.
Microshift Test Compatibility ✅ Passed This PR only updates the HAProxy template; no new Ginkgo tests or MicroShift-unsupported APIs/features are added.
Single Node Openshift (Sno) Test Compatibility ✅ Passed PASS: The PR only modifies an HAProxy template; no .go/.feature test files or Ginkgo constructs were added, so SNO test compatibility is not applicable.
Topology-Aware Scheduling Compatibility ✅ Passed PASS: The change only updates HAProxy header-stripping logic in a config template; no deployment manifests, controllers, or scheduling constraints were added.
Ote Binary Stdout Contract ✅ Passed Only the HAProxy config template changed; no main/init/TestMain/setup stdout writes were introduced.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed PASS: The PR only updates an HAProxy config template; no new Ginkgo e2e tests or test dirs were added, so this compatibility check is not applicable.
No-Weak-Crypto ✅ Passed Only header-stripping logic was added; no new weak ciphers, custom crypto, or secret comparisons were introduced.
Container-Privileges ✅ Passed Changed files only adjust HAProxy template/CI Dockerfiles; no privileged, hostNetwork, or allowPrivilegeEscalation settings were added.
No-Sensitive-Data-In-Logs ✅ Passed The patch only strips X-SSL headers; it adds no new logging or capture paths that would expose sensitive data.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@openshift-ci

openshift-ci Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign ironcladlou for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@MrSanketkumar

Copy link
Copy Markdown
Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jun 29, 2026

Copy link
Copy Markdown
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@images/router/haproxy/conf/haproxy-config.template`:
- Around line 228-243: The mutual-TLS header stripping in the
haproxy-config.template blocks is only enabled when isTrue(env(..., "true"))
evaluates true, which can silently disable the mitigation for malformed
non-empty values. Update the ROUTER_MUTUAL_TLS_HEADER_FILTER check so the filter
stays enabled by default unless the variable is explicitly set to a recognized
false value, and reuse the same logic in the other matching header-filter
sections to keep behavior consistent.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 8a255777-f969-4646-a1b0-fe7515d3114b

📥 Commits

Reviewing files that changed from the base of the PR and between 1ee499a and e9972b3.

📒 Files selected for processing (1)
  • images/router/haproxy/conf/haproxy-config.template

Comment on lines +228 to +243
# Strip off X-SSL* headers for plain HTTP if not explicitly disabled.
# This prevents unauthenticated spoofing of mutual TLS client identities.
{{- if isTrue (env "ROUTER_MUTUAL_TLS_HEADER_FILTER" "true") }}
http-request del-header X-SSL
http-request del-header X-SSL-Client-CN
http-request del-header X-SSL-Client-DER
http-request del-header X-SSL-Client-DN
http-request del-header X-SSL-Client-NotAfter
http-request del-header X-SSL-Client-NotBefore
http-request del-header X-SSL-Client-SHA1
http-request del-header X-SSL-Client-Serial
http-request del-header X-SSL-Client-Subject
http-request del-header X-SSL-Client-Verify
http-request del-header X-SSL-Client-Version
http-request del-header X-SSL-Issuer
{{- end }}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Keep the filter enabled on malformed env values.

isTrue(env(..., "true")) is only secure-by-default when the variable is unset. If ROUTER_MUTUAL_TLS_HEADER_FILTER is set to any non-empty typo, env() returns that value and isTrue() falls back to false, which silently disables the CVE mitigation without an explicit opt-out.

Suggested fix
-  {{- if isTrue (env "ROUTER_MUTUAL_TLS_HEADER_FILTER" "true") }}
+  {{- $mtlsHeaderFilter := firstMatch "(?i:true|false)" (env "ROUTER_MUTUAL_TLS_HEADER_FILTER") "true" }}
+  {{- if isTrue $mtlsHeaderFilter }}

Also applies to: 341-357, 453-469

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@images/router/haproxy/conf/haproxy-config.template` around lines 228 - 243,
The mutual-TLS header stripping in the haproxy-config.template blocks is only
enabled when isTrue(env(..., "true")) evaluates true, which can silently disable
the mitigation for malformed non-empty values. Update the
ROUTER_MUTUAL_TLS_HEADER_FILTER check so the filter stays enabled by default
unless the variable is explicitly set to a recognized false value, and reuse the
same logic in the other matching header-filter sections to keep behavior
consistent.

@MrSanketkumar

Copy link
Copy Markdown
Author

/test e2e-aws-serial

1 similar comment
@MrSanketkumar

Copy link
Copy Markdown
Author

/test e2e-aws-serial

@openshift-ci

openshift-ci Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

@MrSanketkumar: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-serial e9972b3 link true /test e2e-aws-serial

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants