Description
A vulnerability was found in ManageIQ which allows a malicious attacker to impersonate any user or create a non-existent user with any entitlement in the appliance and perform an API request.
Statement
The vulnerability and related criticality depends on the product releases and protocols. In ManageIQ ivanchuk, attacker need to be authenticated through OIDC but SAML do not need any authentication for exploitation. However, for ManageIQ hammer, both SAML and OIDC protocols does not need authentication and attacker can impersonate users previously logged in.
We do not support hammer and earlier releases, however, confirms vulnerability affects SAML protocol but not OIDC. Reference metrics: https://bugzilla.redhat.com/show_bug.cgi?id=1855739#c3
Mitigation
We recommend upgrading to secured released versions, however, this flaw can be mitigated by unseting RequestHeader in http configuration. Mitigation steps would be:
-
Stop httpd service
-
Add following additional unset at /etc/httpd/conf.d/manageiq-remote-user-openidc.conf and /etc/httpd/conf.d/manageiq-remote-user.conf, right before X_REMOTE_USER unset.
RequestHeader unset X-REMOTE-USER
RequestHeader unset X-REMOTE_USER
RequestHeader unset X_REMOTE-USER
-
Validate configuration files to make sure all syntax is valid
-
Restart httpd service
https://access.redhat.com/security/cve/cve-2020-14325
Fixed in ivanchuk-7 - appliance, jansa-1-rc2 - appliance, jansa-1-rc2 - pods, master - appliance, master - pods
abellotti Analyst
Description
A vulnerability was found in ManageIQ which allows a malicious attacker to impersonate any user or create a non-existent user with any entitlement in the appliance and perform an API request.
Statement
The vulnerability and related criticality depends on the product releases and protocols. In ManageIQ ivanchuk, attacker need to be authenticated through OIDC but SAML do not need any authentication for exploitation. However, for ManageIQ hammer, both SAML and OIDC protocols does not need authentication and attacker can impersonate users previously logged in.
We do not support hammer and earlier releases, however, confirms vulnerability affects SAML protocol but not OIDC. Reference metrics: https://bugzilla.redhat.com/show_bug.cgi?id=1855739#c3
Mitigation
We recommend upgrading to secured released versions, however, this flaw can be mitigated by unseting RequestHeader in http configuration. Mitigation steps would be:
Stop httpd service
Add following additional unset at
/etc/httpd/conf.d/manageiq-remote-user-openidc.confand/etc/httpd/conf.d/manageiq-remote-user.conf, right beforeX_REMOTE_USERunset.Validate configuration files to make sure all syntax is valid
Restart httpd service
https://access.redhat.com/security/cve/cve-2020-14325
Fixed in ivanchuk-7 - appliance, jansa-1-rc2 - appliance, jansa-1-rc2 - pods, master - appliance, master - pods