Project

General

Profile

« Previous | Next » 

Revision 358ec5a3

Added by Dominic Cleal over 11 years ago

  • ID 358ec5a3a1b59c098b5c14fcd7a90ca1a6a5dccd

fixes #2121, #2069 - restrict importers and ENC to puppetmasters and users

CVE-2013-0171: report and fact importers parse YAML directly from the remote
host without authentication. Untrusted YAML can instantiate objects and be
used to exploit Foreman.

CVE-2013-0174: external nodes (ENC) output is available to any source and
could contain sensitive information, e.g. root password.

The restrict_registered_puppetmasters setting (default: on) now only permits
access to the three routes if the remote host has a smart proxy registered
with the Puppet feature.

The require_ssl_puppetmasters setting (default: on) requires a client SSL
certificate on HTTPS requests. The CN is checked against known smart proxies
as above. :require_ssl in settings.yaml is recommended to disable HTTP.

Ensure ENC (node.rb) and report (foreman.rb) scripts are updated to supply
client SSL certificates.

View differences:

test/fixtures/settings.yml
category: Provisioning
default: 0
description: "Time in minutes installation tokens should be valid for, 0 to disable"
attribute27:
name: restrict_registered_puppetmasters
category: Auth
default: true
description: "Only known Smart Proxies with the Puppet feature can access fact/report importers and ENC output"
attribute28:
name: require_ssl_puppetmasters
category: Auth
default: true
description: "Client SSL certificates are used to identify Smart Proxies accessing fact/report importers and ENC output over HTTPS (:require_ssl should also be enabled)"
attribute29:
name: ssl_client_cn_env
category: Auth
default: "SSL_CLIENT_S_DN_CN"
description: "Environment variable containing the subject CN from a client SSL certificate"
attribute30:
name: ssl_client_verify_env
category: Auth
default: "SSL_CLIENT_VERIFY"
description: "Environment variable containing the verification status of a client SSL certificate"

Also available in: Unified diff