On Foreman, OpenSCAP plugin for smart-proxy introduce a flaw which allows any client to perform actions of Foreman Server. OpenSCAP plugin and a Client system that has Puppet installed with certs signed by Puppet CA or a Foreman with a client system that has a consumer certificate from the Katello CA; attacker can use this Client's certs to access the OpenSCAP API and perform actions which are only reserved for a Foreman server.
Acknowledgments: Name: Evgeni Golov (Red Hat) Upstream: Foreman project
Mitigation: To mitigate the flaw, disable smart_proxy_openscap plugin from the Server. You can do that either by editing `/etc/foreman-proxy/settings.d/openscap.yml` and restarting `systemctl restart foreman-proxy.service`, or by running `foreman-installer --no-enable-foreman-proxy-plugin-openscap` command.
Statement: Red Hat Satellite 6 ship smart_proxy_openscap plugin which is affected by the flaw. The highest threat from this vulnerability is to integrity and system availability.
Upstream patch: https://github.com/theforeman/smart_proxy_openscap/pull/80 (Pending review)