We have found a flaw in the generation of the Application.config.secret_token value. This value is used in the file /usr/share/katello/config/initializers/secret_token.rb to provide a secret token when session cookies are generated for user sessions within Katello. Specifically a static key with a value of: f466b184ef680822293d7130f57593a7087a34b5de0607c64d1ceb66fcac4dce\ 6810a6f176feba3fbbf2489de93c0918397c0c275996eb476b2fa6079ab849c1 is included by default. The spec file for Katello includes commands to generate a new key: NEWKEY=$(</dev/urandom tr -dc A-Za-z0-9 | head -c128) sed -i "s/^Src::Application.config.secret_token = '.*'/Src::Application.config.secret_token = '$NEWKEY'/" \ /usr/share/katello/config/initializers/secret_token.rb however this was erroneously placed in the "postuninstall" section, which is run when removing Katello from the system). Thus a new secret token is not created and all affected Katello installations have the same secret token value. https://access.redhat.com/security/cve/CVE-2012-3503
https://github.com/Katello/katello/pull/499