A flaw was found in the OpenShift Router. When a Route has `insecureEdgeTerminationPolicy` set to Allow, the HTTP frontend does not remove `X-SSL-Client-*` headers from incoming requests. This allows an unauthenticated attacker to send plain HTTP requests with crafted `X-SSL-Client-*` headers. As a result, backends relying on these headers for mutual TLS (Transport Layer Security) authentication can be bypassed, enabling the attacker to impersonate client certificate identities.
OpenShift Router fails to remove X-SSL-Client-* headers from HTTP requests when insecureEdgeTerminationPolicy is set to Allow, allowing attackers to bypass mutual TLS authentication. Unauthenticated attackers can impersonate client certificate identities by crafting malicious headers in plain HTTP requests.
يحتوي OpenShift Router على ثغرة في معالجة رؤوس X-SSL-Client-* عند تعيين insecureEdgeTerminationPolicy على السماح. يمكن للمهاجمين غير المصرح لهم إرسال طلبات HTTP عادية مع رؤوس مزيفة للالتفاف حول المصادقة المتبادلة TLS. هذا يسمح بانتحال هويات شهادات العميل والوصول غير المصرح به إلى الخدمات الخلفية.
OpenShift Router does not properly sanitize X-SSL-Client-* headers in HTTP requests when insecureEdgeTerminationPolicy is configured to Allow, enabling authentication bypass. Attackers can forge client certificate identities without authentication by sending crafted headers over unencrypted connections.
Upgrade OpenShift Router to a patched version that properly removes X-SSL-Client-* headers from HTTP requests. Review and restrict use of insecureEdgeTerminationPolicy set to Allow. Implement backend validation of client certificates independent of header values. Monitor for suspicious X-SSL-Client-* headers in HTTP traffic.
قم بترقية OpenShift Router إلى نسخة مصححة تزيل رؤوس X-SSL-Client-* من طلبات HTTP بشكل صحيح. راجع وقيد استخدام insecureEdgeTerminationPolicy المعين على السماح. قم بتنفيذ التحقق من شهادات العميل في الواجهة الخلفية بشكل مستقل عن قيم الرؤوس. راقب رؤوس X-SSL-Client-* المريبة في حركة HTTP.