Bug 1243571 (CVE-2015-5152) - CVE-2015-5152 Foreman: API permits HTTP requests when require_ssl is enabled
Summary: CVE-2015-5152 Foreman: API permits HTTP requests when require_ssl is enabled
Status: CLOSED WONTFIX
Alias: CVE-2015-5152
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20150715,repor...
Keywords: Security
Depends On:
Blocks: 1243576
TreeView+ depends on / blocked
 
Reported: 2015-07-15 19:42 UTC by Kurt Seifried
Modified: 2019-06-08 20:39 UTC (History)
24 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2015-07-15 22:14:17 UTC


Attachments (Terms of Use)

Description Kurt Seifried 2015-07-15 19:42:55 UTC
Dominic Cleal of Red Hat reports:

The "require_ssl" setting (in /etc/foreman/settings.yml) should enforce that web requests sent to Foreman over HTTP are redirected to HTTPS, but this was found not to happen with API requests (e.g. from Hammer CLI). Foreman will process API requests over HTTP, but should have redirected.

Redirection won't help with credentials having already been sent, but should give some notification that the user/app is using the wrong URL.

Affects all versions of Foreman since 1.1.

The issue has already been fixed since Foreman 1.9.0-RC1 via a refactor in #10471.

To mitigate this with Apache, add a stanza to the HTTP VirtualHost (e.g. in /etc/httpd/conf.d/05-foreman.d/api_redirect.conf) similar to:

RewriteEngine On
RewriteRule ^/api/(.*) https://%{SERVER_NAME}/api/$1 [R,L]

External reference:

http://projects.theforeman.org/issues/11119

Comment 1 Kurt Seifried 2015-07-15 22:14:17 UTC
Statement:

This issue affects the versions of foreman as shipped with Red Hat Satellite 6 and OpenStack. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.


Note You need to log in before you can comment on or make changes to this bug.