Description of problem: Attackers can force switch all the REST APIs(https://<host_ip>/api) from HTTPS into HTTP, so attackers can induce the victim user using crafted html page for eavesdropping user credentials like authorization token. Version-Release number of selected component (if applicable): oVirt 3.4.0-5 beta3 How reproducible: 100% Steps to Reproduce: 1. Open http://<host_ip>/api in browser Actual results: Browser successfully opens the page Expected results: Should force switch to https://<host_ip>/api Additional info:
This was kept for backward compatibility as HTTP redirect is not mandatory in Rest API. It is up to the 3rd party to select the channel to use.
What backwards compatibility? The previous version didn't accept non encrypted connections.
(In reply to Juan Hernández from comment #2) > What backwards compatibility? The previous version didn't accept non > encrypted connections. Correct. My bad[1] Was confused with other application. [1] http://gerrit.ovirt.org/#/c/6827/
Sandro, I think that 3.4.0 shouldn't be released without the fix for this bug.
Can we make this bug public, please?
Removing restriction as impact is not that high.
SRT Note: this is a security hardening issue and not a security vulnerability, so no CVE/etc.
Some notes: I would suggest you add a permanent redirect (301 moved permanently) to the HTTP pointing at the HTTPS, and then to prevent HTTP use in future add an HSTS header http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
this is an automated message: moving to Closed CURRENT RELEASE since oVirt 3.4.0 has been released