fixes #2121, #2069 - restrict importers and ENC to puppetmasters and users
CVE-2013-0171: report and fact importers parse YAML directly from the remote host without authentication. Untrusted YAML can instantiate objects and be used to exploit Foreman.
CVE-2013-0174: external nodes (ENC) output is available to any source and could contain sensitive information, e.g. root password.
The restrict_registered_puppetmasters setting (default: on) now only permits access to the three routes if the remote host has a smart proxy registered with the Puppet feature.
The require_ssl_puppetmasters setting (default: on) requires a client SSL certificate on HTTPS requests. The CN is checked against known smart proxies as above. :require_ssl in settings.yaml is recommended to disable HTTP.
Ensure ENC (node.rb) and report (foreman.rb) scripts are updated to supply client SSL certificates.
Related issues
Bug #2069: (encrypted) root passwords are world readable
Bug #2121: Unauthenticated YAML fact and reports importers can be exploited
Added by Dominic Cleal over 11 years ago
fixes #2121, #2069 - restrict importers and ENC to puppetmasters and users
CVE-2013-0171: report and fact importers parse YAML directly from the remote
host without authentication. Untrusted YAML can instantiate objects and be
used to exploit Foreman.
CVE-2013-0174: external nodes (ENC) output is available to any source and
could contain sensitive information, e.g. root password.
The restrict_registered_puppetmasters setting (default: on) now only permits
access to the three routes if the remote host has a smart proxy registered
with the Puppet feature.
The require_ssl_puppetmasters setting (default: on) requires a client SSL
certificate on HTTPS requests. The CN is checked against known smart proxies
as above. :require_ssl in settings.yaml is recommended to disable HTTP.
Ensure ENC (node.rb) and report (foreman.rb) scripts are updated to supply
client SSL certificates.