Tomas Strachota of Red Hat reports: It was found that Hammer CLI, a CLI utility for Foreman, did not explicitly set the verify_ssl flag for apipie-bindings that disable it by default. As a result the server certificates are not checked and connections are prone to man-in-the-middle attacks. Upstream issue: http://projects.theforeman.org/issues/19033
Acknowledgments: Name: Tomas Strachota (Red Hat)
openstack 6 foreman installer is EOL
This issue has been addressed in the following products: Red Hat Satellite 6.3 for RHEL 7 Via RHSA-2018:0336 https://access.redhat.com/errata/RHSA-2018:0336
Statement: This issue affects the versions of rubygem-hammer_cli as shipped with Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this issue as having security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.