CVE-2012-3503

Name of the Vulnerable Software and Affected Versions Katello versions 1.0 and earlier

Description The installation script does not properly generate the Application.config.secret token value, resulting in each default installation having the same secret token. This allows remote attackers to authenticate to the CloudForms System Engine web interface as an arbitrary user by creating a cookie using the default secret token.

Recommendations For Katello versions 1.0 and earlier, consider regenerating the Application.config.secret token value to a unique and secure token to prevent unauthorized access. As a temporary workaround, restrict access to the CloudForms System Engine web interface until a secure secret token can be generated.