Hi Jason,
> If anyone is using Apache Passenger / Ruby on Rails (which is how the
> Foreman Installer sets up the system) you should consider updating some
> of the gems immediately. Specifically the ActionPack gem, which will
> likely hit you with some dependencies. On my particular system I only
> needed to install the following (in order):
>
> * sprockets: http://rubygems.org/downloads/sprockets-2.2.1.gem
> * activesupport: http://rubygems.org/downloads/activesupport-3.2.11.gem
> * activemodel: http://rubygems.org/downloads/activemodel-3.2.11.gem
> * actionpack: http://rubygems.org/downloads/actionpack-3.2.11.gem
>
> I usually like to use RPMs to install these, but they don't seem to have
> the latest available for my distro yet so I did it all through gem (gem
> install --local <file>)
I'd really recommend against this upgrade, since it moves to Rails 3.2.
Foreman currently works with Rails 3.0, so you'd want version 3.0.19
instead. I expect we'll be updating the 1.0 branch (Sam, Greg?).
The Rails vulnerability has made us realise there's a very similar issue
in Foreman itself where it parses untrusted YAML input, which we're now
looking to address. Any feedback on the proposal below would be
appreciated, before we implement it.
The facts and reports importers are used by puppetmasters to send YAML
to Foreman, which is imported straight from Puppet and without any
authentication (since the puppetmaster has no credentials). An attacker
can use this YAML loading to exploit Foreman.
We're proposing to lock this down so that only hosts with registered
smart proxies on (with the Puppet feature) are able to upload data.
In addition, we would recommend (and implement in foreman-installer)
enabling optional client SSL cert verification in mod_ssl, then enforce
the smart proxy check using the client certificate's CN. The report and
ENC scripts would change to use the puppetmaster's SSL cert during HTTPS
calls to Foreman.
Both the host check and the enhanced HTTPS check would have settings so
they can be disabled. They'd be enabled by default in 1.1, but if
there's demand for a backport to 1.0 then they'd be disabled for
compatibility.
This would also address the issue raised by Andreas Rogge (thank you for
the report) where ENC output, including hashed root passwords, is
accessible to any host: Bug #2069: (encrypted) root passwords are world readable - Foreman
In the meantime, if you're concerned about the security of your Foreman
host then you could restrict access via Apache, if you use it. e.g.
<Location ~ "/(fact_values|reports)/create">
Order Deny,Allow
Deny from all
Allow from puppetmaster.example.net
</Location>
···
On 09/01/13 15:52, Jason Knudsen wrote:
–
Dominic Cleal
Red Hat Engineering