Problem:
Above vulnerability got flagged in Qualys. Tomcat runs native on OEL9 and there is no date for when RHEL devs will fix this as they see it a lower risk (6.5) than NVD, who have it set as critical (9.1)
There is a mitigation being offered which is to change clientAuth in the server.xml file (/usr/share/tomcat/conf/server.xml) from “want” to “ensure”. I don’t know why it’s not already to be honest.
Can any of the devs here think of a reason why we can;t do this and restart tomcat, well, all Foreman services to bring the change in?
I will snapshot and test first regardless. Please let me know if there’s a need to report this elsewhere in case it helps with a minor patch fix, if required
Changing clientAuth to “ensure” was wrong and caused ssl failures when trying to view products
Found that it should be “need” instead
Have set to this and restarted services, but get the same errors, so I’ve had to revert back to “want” again
I haven’t heard about this specific CVE yet, and I’m not quite a Candlepin setup expert, but let me ask around and see if someone has worked on mitigating this on a Foreman & Katello installation.
Most likely we should not have clientAuth there at all because there is no mTLS happening between Foreman and Tomcat. Tomcat runs on localhost over TLS. The Authentication is happening through the configured oauth with Candlepin. I haven’t tested this.
