Bug 1436262 (CVE-2017-2667)

Summary: CVE-2017-2667 rubygem-hammer_cli: no verification of API server's SSL certificate
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: apevec, ayoung, bkearney, cbillett, chrisw, cvsbot-xmlrpc, jjoyce, jmatthew, jschluet, kbasil, lhh, lpeer, markmc, mburns, mmccune, ohadlevy, rbryant, rhos-maint, sclewis, srevivo, tdecacqu, tjay, tlestach, tsanders
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
It was found that the hammer_cli command line client disables SSL/TLS certificate verification by default. A man-in-the-middle (MITM) attacker could use this flaw to spoof a valid certificate.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-03-08 21:53:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1435568, 1435573    
Bug Blocks: 1432305    

Description Martin Prpič 2017-03-27 14:13:39 UTC 
Tomas Strachota of Red Hat reports:

It was found that Hammer CLI, a CLI utility for Foreman, did not explicitly set the verify_ssl flag for apipie-bindings that disable it by default. As a result the server certificates are not checked and connections are prone to man-in-the-middle attacks.

Upstream issue:

http://projects.theforeman.org/issues/19033
Comment 1 Martin Prpič 2017-03-27 14:13:41 UTC 
Acknowledgments:

Name: Tomas Strachota (Red Hat)
Comment 2 Tim Suter 2017-03-27 21:48:05 UTC 
openstack 6 foreman installer is EOL
Comment 4 errata-xmlrpc 2018-02-21 12:25:36 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.3 for RHEL 7

Via RHSA-2018:0336 https://access.redhat.com/errata/RHSA-2018:0336
Comment 6 Andrej Nemec 2018-05-14 11:52:26 UTC 
Statement:

This issue affects the versions of rubygem-hammer_cli as shipped with Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this issue as having security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.