Bug 1077447

Summary: [ovirt][engine-api] Force switch HTTPS to HTTP in REST API
Product: [Retired] oVirt Reporter: lzhuang <lzhuang>
Component: ovirt-engine-apiAssignee: Alon Bar-Lev <alonbl>
Status: CLOSED CURRENTRELEASE QA Contact: Pavel Stehlik <pstehlik>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 3.4CC: acathrow, alonbl, gklein, huiwang, iheim, jechoi, juan.hernandez, khong, lzhuang, sbonazzo, suli, yeylon, yuzheng
Target Milestone: ---Keywords: Security
Target Release: 3.4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: integration
Fixed In Version: ovirt-3.4.0-ga Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-03-31 12:28:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1024889    

Description lzhuang 2014-03-18 03:23:00 UTC 
Description of problem:
Attackers can force switch all the REST APIs(https://<host_ip>/api) from HTTPS into HTTP, so attackers can induce the victim user using crafted html page for eavesdropping user credentials like authorization token.

Version-Release number of selected component (if applicable):
oVirt 3.4.0-5 beta3

How reproducible:
100%

Steps to Reproduce:
1. Open http://<host_ip>/api in browser

Actual results:
Browser successfully opens the page

Expected results:
Should force switch to https://<host_ip>/api

Additional info:
Comment 1 Alon Bar-Lev 2014-03-18 10:30:08 UTC 
This was kept for backward compatibility as HTTP redirect is not mandatory in Rest API.

It is up to the 3rd party to select the channel to use.
Comment 2 Juan Hernández 2014-03-18 10:43:04 UTC 
What backwards compatibility? The previous version didn't accept non encrypted connections.
Comment 3 Alon Bar-Lev 2014-03-18 10:56:27 UTC 
(In reply to Juan Hernández from comment #2)
> What backwards compatibility? The previous version didn't accept non
> encrypted connections.

Correct.

My bad[1]

Was confused with other application.

[1] http://gerrit.ovirt.org/#/c/6827/
Comment 4 Juan Hernández 2014-03-18 11:04:36 UTC 
Sandro, I think that 3.4.0 shouldn't be released without the fix for this bug.
Comment 5 Juan Hernández 2014-03-18 11:05:31 UTC 
Can we make this bug public, please?
Comment 6 Alon Bar-Lev 2014-03-18 11:31:45 UTC 
Removing restriction as impact is not that high.
Comment 7 Kurt Seifried 2014-03-21 20:38:24 UTC 
SRT Note: this is a security hardening issue and not a security vulnerability, so no CVE/etc.
Comment 8 Kurt Seifried 2014-03-24 19:06:22 UTC 
Some notes: I would suggest you add a permanent redirect (301 moved permanently) to the HTTP pointing at the HTTPS, and then to prevent HTTP use in future add an HSTS header http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
Comment 9 Sandro Bonazzola 2014-03-31 12:28:24 UTC 
this is an automated message: moving to Closed CURRENT RELEASE since oVirt 3.4.0 has been released