Ruby on Rails uses a HMAC for verifying the integrity of signed cookies. To prevent session hash tampering, a digest is calculated from the session with a server-side secret and inserted into the end of the cookie.
It was found that CloudForms Management Engine (CFME) is using a statically defined secret, which is common across all deployments. A remote attacker could use this statically defined secret to perform a session tampering attack.
This issue was discovered by Ramon de C Valle of the Red Hat Product Security Team.
This issue is resolved in CloudForms 3.0. The maintenance support policy for CloudForms 2.0 only covers critical security issues, meaning this issue is out of scope. Users of CloudForms 2.0 are advised to upgrade to CloudForms 3.0 to address this issue.