Bug 1243571 (CVE-2015-5152)

Summary: CVE-2015-5152 Foreman: API permits HTTP requests when require_ssl is enabled
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abaron, aortega, apevec, ayoung, bkearney, chrisw, cpelland, cperry, dallan, gkotton, jrusnack, katello-bugs, lhh, lpeer, markmc, mburns, mmccune, ohadlevy, rbryant, rhos-maint, sclewis, tdecacqu, tjay, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-15 22:14:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1243576    

Description Kurt Seifried 2015-07-15 19:42:55 UTC 
Dominic Cleal of Red Hat reports:

The "require_ssl" setting (in /etc/foreman/settings.yml) should enforce that web requests sent to Foreman over HTTP are redirected to HTTPS, but this was found not to happen with API requests (e.g. from Hammer CLI). Foreman will process API requests over HTTP, but should have redirected.

Redirection won't help with credentials having already been sent, but should give some notification that the user/app is using the wrong URL.

Affects all versions of Foreman since 1.1.

The issue has already been fixed since Foreman 1.9.0-RC1 via a refactor in #10471.

To mitigate this with Apache, add a stanza to the HTTP VirtualHost (e.g. in /etc/httpd/conf.d/05-foreman.d/api_redirect.conf) similar to:

RewriteEngine On
RewriteRule ^/api/(.*) https://%{SERVER_NAME}/api/$1 [R,L]

External reference:

http://projects.theforeman.org/issues/11119
Comment 1 Kurt Seifried 2015-07-15 22:14:17 UTC 
Statement:

This issue affects the versions of foreman as shipped with Red Hat Satellite 6 and OpenStack. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.