We take security issues seriously and welcome responsible disclosure from researchers discovering vulnerabilities in Foreman. Please email foreman-security@googlegroups.com (a private address for the security team) with all reports.

We will endeavour to resolve high severity issues in the current stable release and lower severity issues in the next major release. Announcements of security issues will be made on foreman-announce when a release containing a fix is available to end users and credit will be given to the researcher if desired.

The policy of the project is to treat all newly reported issues as private, and after evaluation, low to medium severity issues will be made public while high severity issues will be fixed under an embargo. Typically the project supports only one major (x.y) release at a time, though high severity issues may also be fixed in the previous release if it was only recently superseded.

All security advisories made for Foreman are listed below with their corresponding CVE identifier.

• CVE-2014-3531: stored cross site scripting (XSS) in operating system names
• CVE-2014-3492: stored cross site scripting (XSS) in YAML preview
• CVE-2014-3491: stored cross site scripting (XSS) in notification dialogs
• CVE-2014-0007: TFTP boot file fetch API permits remote code execution
• CVE-2014-0208: stored cross site scripting (XSS) in search auto-completion
• CVE-2014-0192: provisioning template previews are world-readable
• CVE-2014-0135: Kafo leaves world-readable default_values.yaml file
• CVE-2014-0090: session fixation, new session IDs are not generated on login
• CVE-2014-0089: stored cross site scripting (XSS) on 500 error page
• CVE-2013-4386: SQL injection in host/host group parameter overrides
• CVE-2013-4182: hosts API privilege escalation
• CVE-2013-4180: DoS via hosts controller input conversion
• CVE-2013-2121: bookmarks remote code execution
• CVE-2013-2113: admin user creation, privilege escalation
• CVE-2013-0210: Arbitrary command execution risk in Foreman proxy
• CVE-2013-0187: XMLHttpRequest bypasses authorization
• CVE-2013-0174: exposed hashed root passwords can be retrieved by unauthenticated remote users
• CVE-2013-0173: insecure fixed salt "foreman" for passwords
• CVE-2013-0171: import allows unauthenticated YAML uploads/parsing leading to arbitrary code execution
• CVE-2012-5648: SQL injection through search mechanism
• CVE-2012-5477: world writable files in proxy

Operating system names and descriptions could store and cause evaluation of HTML in page views, allowing a cross site scripting (XSS) attack against the user.

Thanks to Jan Hutař of Red Hat for discovering this issue.

• Affects all known Foreman versions
• Fix released in Foreman 1.5.2
• Redmine issue #6580
• Red Hat Bugzilla #1108745

The host YAML page, used to preview the Foreman response for the Puppet ENC, will evaluate HTML stored in any host data such as parameters or comments, allowing a cross site scripting (XSS) attack against the user.

• Affects all known Foreman versions
• Fix released in Foreman 1.4.5 and 1.5.1
• Redmine issue #6149
• Red Hat Bugzilla

When resources (e.g. a host group) were saved or deleted through the web UI, the name of the resource would be evaluated unsafely inside the notification popup, allowing a cross site scripting (XSS) attack against the user changing the resource.

Thanks to Adam Salah of the Red Hat Satellite 6 QE Team for discovering this issue.

• Affects all known Foreman versions
• Fix released in Foreman 1.4.5 and 1.5.1
• Redmine issue #5881
• Red Hat Bugzilla #1100313

The Smart Proxy API for downloading boot files from installation media to the TFTP server was vulnerable to remote code execution exploits.

Thanks to Lukas Zapletal of the Red Hat Foreman Team for discovering this issue.

• Affects all known Foreman versions
• Fix released in Foreman 1.4.5 and 1.5.1
• Redmine issue #6086
• Red Hat Bugzilla

The search auto-completion was vulnerable to a stored cross site scripting (XSS) attack via completion of (global/host) parameters in search keys.

Thanks to Jan Hutař of Red Hat for discovering this issue.

• Affects all known Foreman versions
• Fix released in Foreman 1.4.4 and 1.5.0
• Redmine issue #5471
• Red Hat Bugzilla #1094642

Provisioning templates previews ("spoof") are accessible without authentication when used with the hostname parameter.

• Affects Foreman 1.4.0 to 1.4.3 inclusive
• Fix released in Foreman 1.4.4 and 1.5.0
• Redmine issue #5436
• Red Hat Bugzilla #1092354

When Kafo (used in the Foreman installer) runs, a /tmp/default_values.yaml file is written to and created with world readable permissions. This is prone to race-condition attacks and contains default values for all parameters, such as autogenerated passwords.

• Affects all known Kafo versions
• Fix released in Kafo 0.3.17 and 0.5.2 (to Foreman 1.4 and 1.5 repos respectively)
• Redmine issue #4648
• Red Hat Bugzilla #1076335

Upon successful login, a new session ID was not generated for the user, so an attacker who had set the session ID in the request from the user's browser would be able to exploit the escalated session with the user's privileges.

Thanks to Jeremy Choi and Keqin Hong of the Red Hat HSS Pen-Test Team for discovering this issue.

• Affects all known Foreman versions
• Fix released in Foreman 1.4.2
• Redmine issue #4457
• Red Hat Bugzilla #1072151

The 500 error page was vulnerable to stored cross site scripting attacks, where the error message was rendered without HTML encoding. In addition, bookmarks could be saved by any user with HTML in the name which caused an error when rendering the bookmark list, leading to a 500 error and execution of the HTML in the browser.

Thanks to Jeremy Choi and Keqin Hong of the Red Hat HSS Pen-Test Team for discovering this issue.

• Affects Foreman 1.4.0 to 1.4.1 inclusive
• Fix released in Foreman 1.4.2
• Redmine issue #4456
• Red Hat Bugzilla #1071741

Host and host group parameter overrides (lookup_values) allowed SQL injection from the host FQDN or host group label.

• Fix released in Foreman 1.2.3
• Redmine issue #3160
• Red Hat Bugzilla #1013076

The /api/hosts API was found to provide access to all hosts without checking whether the current user has privileges to view a particular host.

Thanks to Daniel Lobato Garcia of CERN IT-PES-PS for discovering this issue.

• Fix released in Foreman 1.2.2
• Redmine issue #2863
• Red Hat Bugzilla #990374

Power and IPMI boot actions converted user input to symbols, which could lead to memory exhaustion.

Thanks to Marek Hulan of the Red Hat Foreman Team for discovering this issue.

• Fix released in Foreman 1.2.2
• Redmine issue #2860
• Red Hat Bugzilla #989755

Bookmarks could be created in Foreman containing data that was later executed arbitrarily when reading the bookmark.

Thanks to Ramon de C Valle of the Red Hat Product Security Team for discovering this issue.

• Fix released in Foreman 1.2.0
• Redmine issue #2631
• Red Hat Bugzilla #968166

Non-admin user with permissions to create or edit other users were able to change the admin flag, or assign roles that they themselves do not have, enabling a privilege escalation.

Thanks to Ramon de C Valle of the Red Hat Product Security Team for discovering this issue.

• Fix released in Foreman 1.2.0
• Redmine issue #2630
• Red Hat Bugzilla #966804

Requests to the smart proxy Puppet run API were not properly escaped when running the Puppet command, leading to possible arbitrary command execution.

• Fix released in Foreman 1.2.0

XMLHttpRequest or AJAX requests to Foreman were not subject to authorization checks, enabling privilege escalation for authenticated users.

• Fix released in Foreman 1.1

The external node classifier (ENC) API in Foreman was accessible to any remote host and the output would contain the hashed root psasword (used for unattended installation). Authentication and authorization features were added to the ENC API to secure this data.

Thanks to Andreas Rogge for discovering this issue.

• Fix released in Foreman 1.1
• Redmine issue #2069

The salt used to hash root passwords (used for unattended installation) was fixed to the string "foreman" instead of being randomized.

• Fix released in Foreman 1.1
• Redmine issue #2069

Fact and report import APIs in Foreman were accessible to any remote host and accepted YAML input, allowing arbitrary objects to be created on the Foreman server via YAML. Authentication and authorization features were added to the import APIs to prevent this.

• Fix released in Foreman 1.1
• Redmine issue #2121

Input to the search mechanism in Foreman was not escaped when constructing queries, enabling SQL injection into the resulting query.

• Fix released in Foreman 1.0.2

The smart proxy daemon ran with a umask of 0, causing files and directories written by it to have world-writable bits set. Files managed by the smart proxy could be modified by local users on the same host.

• Fix released in Foreman 1.1
• Redmine issue #1929

The Foreman project uses multiple GPG keys to sign packages and release artifacts. All stable releases will be signed by one of the keys. Nightly and plugin Debian packages will be signed, while nightly and plugin RPM packages will not (this may change in the future).

Signing for the Debian family of operating systems is via secure apt and more information, including verification steps can be found on the Debian web site. RPMs themselves are signed and can be verified using rpm --checksig PACKAGE. All yum repository configs set up by foreman-release RPMs or the installer will enable GPG checking by default.

Key management is changing at the time of writing to cycle nightly keys every two years, and issue limited duration keys per stable release.

In July 2014 after a server was compromised, the existing GPG key (0xE775FF07) was revoked and replaced with a new key (0x1AA043B8) as a precaution. All existing packages were re-signed with the new key and thereafter, new major releases are signed with new per-release keys.

All users with the old key trusted are urged to immediately disable this as follows:

• Debian users must run sudo apt-key del E775FF07
• RPM users must run sudo rpm -e gpg-pubkey-e775ff07-4cda3cf9

More information is available in the announcement.