1764959 – Apache is configured to offer TRACE method (security)

Bug 1764959 - Apache is configured to offer TRACE method (security)

Summary: Apache is configured to offer TRACE method (security)

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Virtualization Manager
Classification:	Red Hat
Component:	ovirt-engine
Sub Component:
Version:	4.3.5
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	high
Target Milestone:	ovirt-4.4.1
Target Release:	4.4.1
Assignee:	Eli Mesika
QA Contact:	Guilherme Santos
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-10-24 05:38 UTC by Ralf Spenneberg
Modified:	2023-03-24 15:46 UTC (History)
CC List:	5 users (show)
Fixed In Version:	ovirt-engine-4.4.1.5
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-08-04 13:20:56 UTC
oVirt Team:	Infra
Target Upstream Version:
Embargoed:
Flags:	lsvaty: testing_plan_complete-

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2020:3247	0	None	None	None	2020-08-04 13:21:18 UTC
oVirt gerrit	109800	0	master	MERGED	packaging: httpd conf: Set TraceEnable to Off	2021-02-17 06:38:28 UTC

Description Ralf Spenneberg 2019-10-24 05:38:13 UTC

Description of problem:
The apache webserver of the hosted engine is configured to support the TRACE method by default. The ansible scripts should include a modification to disable TRACE.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Start ovirt-engine
2. Scan using a vulnerability scanner 
3.

Actual results:
TRACE is supported

Expected results:
TRACE should be disabled

Additional info:
TRACE may be disabled by providing a file
/etc/httpd/conf.d/trace.conf
with the following content:
TraceEnable Off

Comment 1 Ori Liel 2019-11-14 09:17:54 UTC

Why is this regarded as a security issue? Apache address this directly and claim that it is not, see: 

  https://httpd.apache.org/docs/2.4/mod/core.html

"Despite claims to the contrary, enabling the TRACE method does not expose any security vulnerability in Apache httpd. The TRACE method is defined by the HTTP/1.1 specification and implementations are expected to support it."

Comment 2 Ralf Spenneberg 2019-11-14 09:29:30 UTC

Hi Ori,

the statement made by the apache team is true: It does not expose a vulnerability in Apache. But that is not the point. It might be used to attack a web application like oVirt hosted on the apache. 
See: https://www.owasp.org/index.php/Cross_Site_Tracing
Therefore most vulnerability assessment tools will flag the TRACE method as critical.
There are even several CVEs like https://nvd.nist.gov/vuln/detail/CVE-2010-0386

Comment 3 Martin Perina 2019-11-15 17:53:23 UTC

OK, so let's disable the trace as a part of engine installation

Comment 8 Guilherme Santos 2020-07-09 12:22:11 UTC

Verified on:
ovirt-engine-4.4.1.7-0.3.el8ev.noarch

Steps:
1. curl -X TRACE -H 'All-content: true' -u admin@internal:<psswrd> --insecure https://<engine-fqdn>/ovirt-engine/api

Results
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>405 Method Not Allowed</title>
</head><body>
<h1>Method Not Allowed</h1>
<p>The requested method TRACE is not allowed for the URL /ovirt-engine/api.</p>
</body></html>

Comment 13 errata-xmlrpc 2020-08-04 13:20:56 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: RHV Manager (ovirt-engine) 4.4 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:3247

Note You need to log in before you can comment on or make changes to this bug.