Description of problem:
The apache webserver of the hosted engine is configured to support the TRACE method by default. The ansible scripts should include a modification to disable TRACE.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Start ovirt-engine
2. Scan using a vulnerability scanner
TRACE is supported
TRACE should be disabled
TRACE may be disabled by providing a file
with the following content:
Why is this regarded as a security issue? Apache address this directly and claim that it is not, see:
"Despite claims to the contrary, enabling the TRACE method does not expose any security vulnerability in Apache httpd. The TRACE method is defined by the HTTP/1.1 specification and implementations are expected to support it."
the statement made by the apache team is true: It does not expose a vulnerability in Apache. But that is not the point. It might be used to attack a web application like oVirt hosted on the apache.
Therefore most vulnerability assessment tools will flag the TRACE method as critical.
There are even several CVEs like https://nvd.nist.gov/vuln/detail/CVE-2010-0386
OK, so let's disable the trace as a part of engine installation
1. curl -X TRACE -H 'All-content: true' -u admin@internal:<psswrd> --insecure https://<engine-fqdn>/ovirt-engine/api
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<title>405 Method Not Allowed</title>
<h1>Method Not Allowed</h1>
<p>The requested method TRACE is not allowed for the URL /ovirt-engine/api.</p>
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (Important: RHV Manager (ovirt-engine) 4.4 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.