Bug 959041 (CVE-2013-2049)

Summary: CVE-2013-2049 CloudForms Management Engine 2: static secret_token.rb value
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: bdunne, bressers, djorm, jfrey, jrafanie, kseifried, obarenbo, security-response-team, xlecauch, ytale
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-11-13 01:39:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 959045    
Bug Blocks: 959043, 1011266    

Description Kurt Seifried 2013-05-03 04:39:05 UTC 
Ruby on Rails uses a HMAC for verifying the integrity of signed cookies. To prevent session hash tampering, a digest is calculated from the session with a server-side secret and inserted into the end of the cookie.

It was found that CloudForms Management Engine (CFME) is using a statically defined secret, which is common across all deployments. A remote attacker could use this statically defined secret to perform a session tampering attack.

External references:

http://blog.phusion.nl/2013/01/04/securing-the-rails-session-secret/
http://blog.mhartl.com/2008/08/15/a-security-issue-with-rails-secret-session-keys/
Comment 4 Kurt Seifried 2013-10-22 05:11:12 UTC 
Acknowledgements:

This issue was discovered by Ramon de C Valle of the Red Hat Product Security Team.
Comment 6 David Jorm 2013-11-13 01:39:09 UTC 
Statement:

This issue is resolved in CloudForms 3.0. The maintenance support policy for CloudForms 2.0 only covers critical security issues, meaning this issue is out of scope. Users of CloudForms 2.0 are advised to upgrade to CloudForms 3.0 to address this issue.