Description of problem: The apache webserver of the hosted engine is configured to support the TRACE method by default. The ansible scripts should include a modification to disable TRACE. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. Start ovirt-engine 2. Scan using a vulnerability scanner 3. Actual results: TRACE is supported Expected results: TRACE should be disabled Additional info: TRACE may be disabled by providing a file /etc/httpd/conf.d/trace.conf with the following content: TraceEnable Off
Why is this regarded as a security issue? Apache address this directly and claim that it is not, see: https://httpd.apache.org/docs/2.4/mod/core.html "Despite claims to the contrary, enabling the TRACE method does not expose any security vulnerability in Apache httpd. The TRACE method is defined by the HTTP/1.1 specification and implementations are expected to support it."
Hi Ori, the statement made by the apache team is true: It does not expose a vulnerability in Apache. But that is not the point. It might be used to attack a web application like oVirt hosted on the apache. See: https://www.owasp.org/index.php/Cross_Site_Tracing Therefore most vulnerability assessment tools will flag the TRACE method as critical. There are even several CVEs like https://nvd.nist.gov/vuln/detail/CVE-2010-0386
OK, so let's disable the trace as a part of engine installation
Verified on: ovirt-engine-4.4.1.7-0.3.el8ev.noarch Steps: 1. curl -X TRACE -H 'All-content: true' -u admin@internal:<psswrd> --insecure https://<engine-fqdn>/ovirt-engine/api Results <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>405 Method Not Allowed</title> </head><body> <h1>Method Not Allowed</h1> <p>The requested method TRACE is not allowed for the URL /ovirt-engine/api.</p> </body></html>
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: RHV Manager (ovirt-engine) 4.4 security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:3247