Bug 1193683 - (CVE-2021-45081) VUL-0: CVE-2021-45081: cobbler, koan: unsafe protocol usage
(CVE-2021-45081)
VUL-0: CVE-2021-45081: cobbler, koan: unsafe protocol usage
Status: IN_PROGRESS
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Enno Gotthold
Security Team bot
https://smash.suse.de/issue/317282/
CVSSv3.1:SUSE:CVE-2021-45081:6.8:(AV:...
:
Depends on:
Blocks: 1191952
  Show dependency treegraph
 
Reported: 2021-12-13 14:58 UTC by Paolo Perego
Modified: 2022-08-31 08:16 UTC (History)
9 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Paolo Perego 2021-12-13 14:58:45 UTC
Routines in the following files use HTTP protocol instead of a more secure HTTPS:
./actions/buildiso.py
./actions/replicate.py
./actions/reposync.py
./api.py
./autoinstallgen.py
./cli.py
./grub.py
./items/distro.py
./items/repo.py
./modules/authentication/configfile.py
./modules/authentication/denyall.py
./modules/authentication/pam.py
./modules/authentication/testing.py
./modules/installation/post_puppet.py
./modules/installation/pre_puppet.py
./modules/managers/bind.py
./modules/managers/import_signatures.py
./services.py
./tftpgen.py
./utils.py
Comment 1 Enno Gotthold 2021-12-17 08:59:32 UTC
Thanks for the finding!

When fixing this we need to keep in mind that not all machines are physically capable of using HTTPS during PXE or HTTP Boot. The same is valid for the early OS boot stage.

What should be included in my mind is that on the upstream documentation we provide notice in a visible way that other means of security (dedicated installation networks, ...) should be taken.
Comment 2 Paolo Perego 2021-12-17 09:56:25 UTC
Tracked with CVE-2021-45081
CVSS 6.8 (CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N) 
CRD 2022-02-16 or earlier
Comment 4 Enno Gotthold 2022-02-03 10:15:09 UTC
┬─[enno@localhost:~/P/cobbler]─[08:57:47]─[G:security/insecure-protocol-usage]
╰─>$ grep -R --exclude-dir=.pytest_cache --exclude-dir=build --exclude-dir=venv --exclude="*.pyc" "http://" .
./autoinstall_snippets/autoinstall_done:            #set nopxe = "\ncurl \"http://%s/cblr/svc/op/nopxe/system/%s\" -o /dev/null" % (srv, system_name)
./autoinstall_snippets/autoinstall_done:            #set nopxe = "\ncurl \"http://%s/cblr/svc/op/nopxe/system/%s\" -o /dev/null" % (srv, system_name)
./autoinstall_snippets/autoinstall_done:            #set nopxe = "\nwget \"http://%s/cblr/svc/op/nopxe/system/%s\" -O /dev/null" % (srv, system_name)
./autoinstall_snippets/autoinstall_done:            #set save_autoinstall = "\ncurl \"http://%s/cblr/svc/op/autoinstall/%s/%s\" -o /root/cobbler.ks" % (srv, object_type, object_name)
./autoinstall_snippets/autoinstall_done:            #set save_autoinstall = "\ncurl \"http://%s/cblr/svc/op/autoinstall/%s/%s\" -o /root/cobbler.xml" % (srv, object_type, object_name)
./autoinstall_snippets/autoinstall_done:            #set save_autoinstall = "\ncurl \"http://%s/cblr/svc/op/autoinstall/%s/%s\" -o /root/cobbler.ks" % (srv, object_type, object_name)
./autoinstall_snippets/autoinstall_done:            #set save_autoinstall = "\nwget \"http://%s/cblr/svc/op/autoinstall/%s/%s\" -O /var/log/cobbler.ks" % (srv, object_type, object_name)
./autoinstall_snippets/autoinstall_done:            #set save_autoinstall = "\nwget \"http://%s/cblr/svc/op/autoinstall/%s/%s\" -O /var/log/cobbler.seed" % (srv, object_type, object_name)
./autoinstall_snippets/autoinstall_done:            #set runpost = "\ncurl \"http://%s/cblr/svc/op/trig/mode/post/%s/%s\" -o /dev/null" % (srv, object_type, object_name)
./autoinstall_snippets/autoinstall_done:            #set runpost = "\ncurl \"http://%s/cblr/svc/op/trig/mode/post/%s/%s\" -o /dev/null" % (srv, object_type, object_name)
./autoinstall_snippets/autoinstall_done:            #set runpost = "\nwget \"http://%s/cblr/svc/op/trig/mode/post/%s/%s\" -O /dev/null" % (srv, object_type, object_name)
./autoinstall_snippets/autoinstall_start:            #set runpre = "\ncurl \"http://%s/cblr/svc/op/trig/mode/pre/%s/%s\" -o /dev/null" % (srv, object_type, object_name)
./autoinstall_snippets/autoinstall_start:            #set runpre = "\nwget \"http://%s/cblr/svc/op/trig/mode/pre/%s/%s\" -O /dev/null" % (srv, object_type, object_name)
./autoinstall_snippets/download_config_files:    #set $turl = "http://"+$http_server+"/cblr/svc/op/template/"+$ttype+"/"+$tname+"/path/"+$tpath
./autoinstall_snippets/download_config_files_deb:    #set $turl = "http://"+$http_server+"/cblr/svc/op/template/"+$ttype+"/"+$tname+"/path/"+$tpath
./autoinstall_snippets/late_apt_repo_config:deb http://$http_server/cblr/links/$distro_name $os_version main
./autoinstall_snippets/late_apt_repo_config:deb ${rarch} http://$http_server/cblr/repo_mirror/${repo.name} $dist $comps
./autoinstall_snippets/post_anamon:curl -o /usr/local/sbin/anamon "http://$server:$http_port/cobbler/misc/anamon"
./autoinstall_snippets/post_anamon:curl -o /etc/rc.d/init.d/anamon "http://$server:$http_port/cobbler/misc/anamon.init"
./autoinstall_snippets/pre_anamon:curl -o /tmp/anamon "http://$server:$http_port/cobbler/misc/anamon"
./autoinstall_snippets/preseed_apt_repo_config:      http://$http_server/cblr/repo_mirror/${repo.name} $dist $comps
./autoinstall_snippets/redhat_register:curl http://$redhat_management_server/pub/RHN-ORG-TRUSTED-SSL-CERT -o $mycert
./autoinstall_templates/sample.seed:d-i live-installer/net-image string http://$http_server/cobbler/links/$distro_name/install/filesystem.squashfs
./autoinstall_templates/sample.seed:# d-i apt-setup/local0/key string http://local.server/key
./autoinstall_templates/sample.seed:   http://$http_server/cblr/svc/op/script/$what/$name/?script=preseed_early_default | \
./autoinstall_templates/sample.seed:   http://$http_server/cblr/svc/op/script/$what/$name/?script=preseed_late_default | \
./autoinstall_templates/sample_autoyast.xml:<profile xmlns="http://www.suse.com/1.0/yast2ns" xmlns:config="http://www.suse.com/1.0/configns">
./autoinstall_templates/sample_old.seed:# See http://www.debian.org/releases/stable/i386/apbs04.html.en & preseed documentation
./bin/cobbler-ext-nodes:        url = "http://%s:%s/cblr/svc/op/puppet/hostname/%s" % (config["server"], config["http_port"], hostname)
./bin/cobblerd:    # daemonizing code:  http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/66012
./cobbler/actions/buildiso/netboot.py:            self.append_line += " install=http://%s:%s/cblr/links/%s" % (
./cobbler/actions/buildiso/netboot.py:                self.append_line += " install=http://%s:%s/cblr/links/%s" % (
./cobbler/actions/buildiso/netboot.py:            data["autoinstall"] = "http://%s:%s/cblr/svc/op/autoinstall/system/%s" % (
./cobbler/actions/buildiso/netboot.py:            data["autoinstall"] = "http://%s:%s/cblr/svc/op/autoinstall/profile/%s" % (
./cobbler/actions/check.py:            with ServerProxy('http://localhost:9001/RPC2') as server:
./cobbler/actions/replicate.py:        self.local = xmlrpc.client.Server("http://127.0.0.1:%s/cobbler_api" % self.settings.http_port)
./cobbler/actions/reposync.py:        # Now regardless of whether we're doing yumdownloader or reposync or whether the repo was http://, ftp://, or
./cobbler/actions/reposync.py:        Handle copying of http:// and ftp:// yum repos.
./cobbler/actions/reposync.py:        # Now regardless of whether we're doing yumdownloader or reposync or whether the repo was http://, ftp://, or
./cobbler/actions/reposync.py:        Handle copying of http:// and ftp:// debian repos.
./cobbler/actions/reposync.py:                line = "baseurl=http://${http_server}/cobbler/repo_mirror/%s\n" % (repo.name)
./cobbler/api.py:        if mirror_url.startswith("http://") or mirror_url.startswith("https://") or mirror_url.startswith("ftp://") \
./cobbler/api.py:            valid_roots = ["nfs://", "ftp://", "http://", "https://"]
./cobbler/api.py:                self.log("Network root given to --available-as must be nfs://, ftp://, http://, or https://")
./cobbler/autoinstallgen.py:        runpost = "\ncurl \"http://%s/cblr/svc/op/trig/mode/post/%s/%s\" > /dev/null"
./cobbler/autoinstallgen.py:        runpre = "\ncurl \"http://%s/cblr/svc/op/trig/mode/pre/%s/%s\" > /dev/null"
./cobbler/autoinstallgen.py:                        baseurl = "http://%s/cobbler/repo_mirror/%s" % (blended["http_server"], repo_obj.name)
./cobbler/autoinstallgen.py:            url = "http://%s/cblr/svc/op/yum/profile/%s" % (blended["http_server"], obj.name)
./cobbler/autoinstallgen.py:            url = "http://%s/cblr/svc/op/yum/system/%s" % (blended["http_server"], obj.name)
./cobbler/grub.py:    elif file_location.startswith("http://"):
./cobbler/items/distro.py:        A list of http:// URLs on the Cobbler server that point to yum configuration files that can be used to
./cobbler/items/repo.py:            if self.mirror.startswith("http://") or self.mirror.startswith("https://") \
./cobbler/modules/managers/import_signatures.py:            tree = "http://@@http_server@@/cblr/links/%s" % distribution.name
./cobbler/modules/managers/import_signatures.py:            # find path segment for yum_url (changing filesystem path to http:// trailing fragment)
./cobbler/modules/managers/import_signatures.py:            repo_url = "http://@@http_server@@/cobbler/distro_mirror/config/%s-%s.repo" % (distribution.name, counter)
./cobbler/modules/managers/import_signatures.py:            repo_url2 = "http://@@http_server@@/cobbler/distro_mirror/%s" % urlseg
./cobbler/modules/managers/import_signatures.py:                config_file.write("baseurl=http://@@http_server@@/cobbler/distro_mirror/%s\n" % urlseg)
./cobbler/modules/managers/import_signatures.py:            # Example returned URL: http://us.archive.ubuntu.com/ubuntu
./cobbler/modules/managers/import_signatures.py:            mirror = "http://archive.ubuntu.com/ubuntu"
./cobbler/modules/managers/import_signatures.py:            repo.mirror = "http://ftp.%s.debian.org/debian/dists/%s" % ('us', distribution.os_version)
./cobbler/services.py:        serverseg = "http://%s" % self.collection_mgr._settings.server
./cobbler/services.py:        serverseg = "http://%s" % self.collection_mgr._settings.server
./cobbler/tftpgen.py:                    autoinstall_path = "http://%s/cblr/svc/op/autoinstall/system/%s" % (httpserveraddress, system.name)
./cobbler/tftpgen.py:                    autoinstall_path = "http://%s/cblr/svc/op/autoinstall/profile/%s" \
./cobbler/tftpgen.py:            blended['img_path'] = 'http://%s:%s/cobbler/links/%s' % (self.settings.server, self.settings.http_port,
./cobbler/tftpgen.py:            blended['img_path'] = 'http://%s:%s/cobbler/links/%s' % (self.settings.server, self.settings.http_port,
./cobbler/tftpgen.py:                loaders_path = 'http://@@http_server@@/cobbler/images/@@distro_name@@/'
./cobbler/cli.py:     "http://example.com:8080, or <<inherit>> to use proxy_url_ext from settings, blank or <<None>> for no proxy", 0,
./cobbler/utils.py:    with ServerProxy('http://localhost:9001/RPC2') as server:
./cobbler/utils.py:        with ServerProxy('http://localhost:9001/RPC2') as server:
./cobbler/utils.py:    for prefix in ["http://", "https://", "ftp://"]:
./cobbler/utils.py:    return "http://%s:%s" % ("127.0.0.1", data.get("xmlrpc_port", "25151"))
./cobbler/utils.py:            kopts['info'] = 'http://%s/cblr/svc/op/nopxe/system/%s' % (cobbler_server_hostname, system_name)
./config/apache/cobbler.conf:ProxyPass /cobbler_api http://127.0.0.1:25151/
./config/apache/cobbler.conf:ProxyPassReverse /cobbler_api http://127.0.0.1:25151/
./config/cobbler/settings.yaml:# This config file is in YAML 1.2 format; see "http://yaml.org".
./config/cobbler/settings.yaml:# accessable at http://cobbler.example.org/cblr/repo_mirror and yum
./config/cobbler/settings.yaml:# Eg: "http://192.168.1.1:8080" (HTTP), "https://192.168.1.1:8443" (HTTPS)
./config/cobbler/settings.yaml:# Eg: proxy_url_int: "http://10.0.0.1:8080"
./config/rsync/import_rsync_whitelist:#     --available-as=http://mirrors.kernel.org/fedora/releases/16/Fedora/x86_64/os/
./config/rsync/import_rsync_whitelist:#     --available-as=http://mirrors.kernel.org/opensuse/distribution/11.4/repo/oss/
./contrib/api-examples/API_test.py:server = xmlrpc.client.Server("http://127.0.0.1/cobbler_api")
./contrib/api-examples/create_snippet.py:sp =  ServerProxy("http://127.0.0.1/cobbler_api")
./contrib/api-examples/demo_connect.py:    sp = ServerProxy("http://127.0.0.1:25151")
./contrib/api-examples/read_snippet.py:sp =  ServerProxy("http://127.0.0.1/cobbler_api")
./contrib/api-examples/remove_snippet.py:sp =  ServerProxy("http://127.0.0.1/cobbler_api")
./contrib/func/func.settings:# Func lives at http://fedorahosted.org/func
./contrib/templating/cheetah_macros:## wget http://some.server.com/some-av-package.tar.gz
./contrib/templating/cheetah_macros:## wget http://some.server.com/fw-linux-installer.sh
./docker/debs/Debian_10/Debian10.dockerfile:    /bin/sh -c "echo 'deb http://download.opensuse.org/repositories/Debian:/debbuild/Debian_10/ /' > /etc/apt/sources.list.d/debbuild.list" && \
./docker/debs/Debian_10/Debian10.dockerfile:    curl -sL http://download.opensuse.org/repositories/Debian:/debbuild/Debian_10/Release.key | apt-key add - && \
./docker/debs/Debian_11/Debian11.dockerfile:    /bin/sh -c "echo 'deb http://download.opensuse.org/repositories/Debian:/debbuild/Debian_11/ /' > /etc/apt/sources.list.d/debbuild.list" && \
./docker/debs/Debian_11/Debian11.dockerfile:    curl -sL http://download.opensuse.org/repositories/Debian:/debbuild/Debian_11/Release.key | apt-key add - && \
./docs/quickstart-guide.rst:    Automatic Installation Template Metadata : {'tree': 'http://@@http_server@@/cblr/links/fedora17-x86_64'}
./docs/user-guide/configuration-management-integrations.rst:Here we discuss the other option: deploying a CMS such as `cfengine3 <http://cfengine.com/>`_,
./docs/user-guide/configuration-management-integrations.rst:`puppet <http://puppetlabs.com/>`_, `bcfg2 <http://bcfg2.org>`_, `Chef <http://wiki.opscode.com/display/chef/Home>`_,
./docs/user-guide/configuration-management-integrations.rst:David Lutterkort has a `walkthrough for kickstart <http://watzmann.net/blog/2006/12/kickstarting-into-puppet.html>`_.
./docs/user-guide/configuration-management-integrations.rst:* integration with an established external CMS such as `cfengine3 <http://cfengine.com/>`_, `bcfg2 <http://bcfg2.org>`_,
./docs/user-guide/configuration-management-integrations.rst:  `Chef <http://wiki.opscode.com/display/chef/Home>`_, or `puppet <http://puppetlabs.com/>`_.
./docs/user-guide/configuration-management-integrations.rst:This all works using the same `Cheetah-powered <http://cheetahtemplate.org>`_ templating engine used in
./docs/user-guide/configuration-management-integrations.rst:    http://cobbler/cblr/svc/op/puppet/hostname/foo
./docs/user-guide/configuration-management-integrations.rst:        tree: 'http://.../x86_64/tree'
./docs/user-guide/configuration-management-integrations.rst:[this blog article](http://blog.milford.io/2012/03/getting-a-basic-cobbler-server-going-on-centos/)
./docs/user-guide/extending-cobbler.rst:    server = xmlrpclib.ServerProxy("http://cfengine:9000")
./docs/user-guide/terraform-provider.rst:     default     = "http://some_server/cobbler_api"
./docs/user-guide/terraform-provider.rst:    mirror         = "http://ftp.nl.debian.org/debian/"
./docs/user-guide/wingen.rst:    This is the name of the script to run immediately after the Windows installation completes. The script is specified in the Windows answer file. All the necessary completing the installation actions can be performed directly in this script, or it can be used to get and start additional steps from ``http://<server>/cblr/svc/op/autoinstall/<profile|system>/name``.
./docs/user-guide/wingen.rst:    --remote-boot-kernel=http://@@http_server@@/cobbler/images/@@distro_name@@/wimboot \
./docs/user-guide/wingen.rst:    --remote-boot-initrd=http://@@http_server@@/cobbler/images/@@distro_name@@/boot.sdi \
./docs/user-guide/wingen.rst:    kernel http://<http_server>/cobbler/images/Win10_EN-x64/wimboot
./docs/user-guide/wingen.rst:    initrd --name boot.sdi http://<http_server>/cobbler/images/Win10_EN-x64/boot.sdi boot.sdi
./docs/user-guide/wingen.rst:    initrd --name bootmgr.exe http://<http_server>/cobbler/images/Win10_EN-x64/boot1ea.exe bootmgr.exe
./docs/user-guide/wingen.rst:    initrd --name bcd http://<http_server>/cobbler/images/Win10_EN-x64/1Ea bcd
./docs/user-guide/wingen.rst:    initrd --name winpe.wim http://<http_server>/cobbler/images/Win10_EN-x64/winpe.wim winpe.wim
./docs/user-guide/wingen.rst:    kernel http://<http_server>/cobbler/images/Win10_EN-x64/wimboot
./docs/user-guide/wingen.rst:    initrd --name boot.sdi http://<http_server>/cobbler/images/Win10_EN-x64/boot.sdi boot.sdi
./docs/user-guide/wingen.rst:    initrd --name bootmgr.exe http://<http_server>/cobbler/images/Win10_EN-x64/boot1eb.exe bootmgr.exe
./docs/user-guide/wingen.rst:    initrd --name bcd http://<http_server>/cobbler/images/Win10_EN-x64/1Eb bcd
./docs/user-guide/wingen.rst:    initrd --name winpe.wim http://<http_server>/cobbler/images/Win10_EN-x64/winp1.wim winpe.wim
./docs/user-guide/wingen.rst:    kernel http://<http_server>/cobbler/images/Win10_EN-x64/wimboot
./docs/user-guide/wingen.rst:    initrd --name boot.sdi http://<http_server>/cobbler/images/Win10_EN-x64/boot.sdi boot.sdi
./docs/user-guide/wingen.rst:    initrd --name bootmgr.exe http://<http_server>/cobbler/images/Win10_EN-x64/boot1ec.exe bootmgr.exe
./docs/user-guide/wingen.rst:    initrd --name bcd http://<http_server>/cobbler/images/Win10_EN-x64/1Ec bcd
./docs/user-guide/wingen.rst:    initrd --name winpe.wim http://<http_server>/cobbler/images/Win10_EN-x64/winp2.wim winpe.wim
./docs/user-guide/wingen.rst:    --remote-boot-kernel=http://@@http_server@@/cobbler/images/@@distro_name@@/wimboot \
./docs/user-guide/wingen.rst:    --remote-boot-initrd=http://@@http_server@@/cobbler/images/@@distro_name@@/boot.sdi \
./docs/user-guide/wingen.rst:    --remote-boot-kernel=http://@@http_server@@/cobbler/images/@@distro_name@@/wimboot \
./docs/user-guide/wingen.rst:    --remote-boot-initrd=http://@@http_server@@/cobbler/images/@@distro_name@@/boot.sdi \
./docs/cobbler-conf.rst:  http: http://192.168.1.1:8080
./docs/cobbler-conf.rst:e.g.: ``proxy_url_int: http://10.0.0.1:8080``
./docs/cobbler-conf.rst:mirrored yum repos are still accessible at ``http://cobbler.example.org/cblr/repo_mirror`` and YUM configuration can
./docs/cobbler.rst:| **mirror**       | The address of the yum mirror. This can be an ``rsync://``-URL, an ssh location, or a ``http://`` |
./docs/cobbler.rst:|                  | - ``http://mirrors.kernel.org/fedora/extras/6/i386/`` (for http)                                  |
./docs/cobbler.rst:|                  | installation files and not mirrored locally on the Cobbler server. Only ``http://`` and ``ftp://``|
./docs/cobbler.rst:|                  | This option only works for ``http://`` and ``ftp://`` repositories (as it is powered by           |
./docs/user-guide.rst:``http://`` or ``ftp://``.
./docs/user-guide.rst:    cobbler repo add --mirror=http://mirrors.kernel.org/fedora/core/updates/6/i386/ --name=fc6i386updates
./docs/user-guide.rst:    cobbler repo add --mirror=http://mirrors.kernel.org/fedora/extras/6/i386/ --name=fc6i386extras
./misc/anamon:session = Server("http://%s:%s/cobbler_api" % (server, port))
./svc/services.py:    cw = CobblerSvc(server="http://127.0.0.1:%s" % remote_port)
./system-tests/tests/autoinstall-dummy-bios:script_url='http://${server}/cblr/svc/op/autoinstall/system/testbed'
./templates/boot_loader_conf/bootcfg.template:kernelopt=runweasel ks=http://$server:$http_port/cblr/svc/op/ks/$what/$name
./templates/boot_loader_conf/ipxe.template:#set $kernel_options="-c http://" + $server + ":" + $http_port + "/cblr/svc/op/bootcfg/system/" + $system_name + "BOOTIF=" + $mac_address_eth0
./templates/etc/dhcp.template:                    filename "http://$cobbler_server/cblr/svc/op/ipxe/system/$iface.owner";
./templates/etc/ndjbdns.template:# See http://cr.yp.to/djbdns/tinydns-data.html for a description of the data
./templates/reporting/build_report_email.template:kickstart=http://$server/cblr/svc/op/ks/system/$name
./templates/reporting/build_report_email.template:kickstart=http://$server/cblr/svc/op/ks/profile/$name
./templates/windows/answerfile.template:        <component name="Microsoft-Windows-International-Core-WinPE" $procarch publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
./templates/windows/answerfile.template:        <component name="Microsoft-Windows-Setup" $procarch publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
./templates/windows/answerfile.template:        <component name="Microsoft-Windows-PnpCustomizationsWinPE" $procarch publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
./templates/windows/answerfile.template:        <component name="Microsoft-Windows-LUA-Settings" $procarch publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
./templates/windows/answerfile.template:        <component name="Microsoft-Windows-Shell-Setup" $procarch publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
./templates/windows/answerfile.template:        <component name="Microsoft-Windows-UnattendedJoin" $procarch publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
./templates/windows/answerfile.template:        <component name="Microsoft-Windows-TerminalServices-LocalSessionManager" $procarch publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
./templates/windows/answerfile.template:        <component name="Networking-MPSSVC-Svc" $procarch publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
./templates/windows/answerfile.template:        <component name="Microsoft-Windows-TerminalServices-RDP-WinStationExtensions" $procarch publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
./templates/windows/answerfile.template:        <component name="Microsoft-Windows-Shell-Setup" $procarch publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
./templates/windows/post_inst_cmd.template:##wget.exe http://@@http_server@@/cblr/svc/op/autoinstall/profile/%1 -O install.cmd
./tests/actions/buildiso_test.py:            == " append initrd=testdistro.img install=http://127.0.0.1:80/cblr/links/testdistro autoyast=default.ks"
./tests/actions/buildiso_test.py:            == " append initrd=testdistro.img install=http://127.0.0.1:80/cblr/links/testdistro autoyast=default.ks"
./tests/cli/cobbler_cli_object_test.py:        ("repo", {"name": "testrepoedit", "mirror": "http://localhost"}, ["comment", "Testcomment"], "Comment"),
./tests/cli/cobbler_cli_object_test.py:        ("repo", {"name": "testrepofind", "mirror": "http://localhost"}),
./tests/cli/cobbler_cli_object_test.py:        ("repo", {"name": "testrepocopy", "mirror": "http://localhost"}),
./tests/cli/cobbler_cli_object_test.py:        ("repo", {"name": "testreporename", "mirror": "http://localhost"}),
./tests/cli/cobbler_cli_object_test.py:        ("repo", {"name": "testrepoadd", "mirror": "http://localhost"}),
./tests/cli/cobbler_cli_object_test.py:        ("repo", {"name": "testreporemove", "mirror": "http://localhost"}),
./tests/grub_test.py:    ("http://testuri", None, pytest.raises(ValueError)),
./tests/grub_test.py:    ("http://10.0.0.1", "(http,10.0.0.1)/", does_not_raise()),
./tests/items/item_test.py:    kernel_url = "http://10.0.0.1/custom-kernels-are-awesome"
./tests/special_cases/security_test.py:    cobbler_api = try_connect("http://localhost/cobbler_api")
./tests/special_cases/security_test.py:    cobbler_api = try_connect("http://localhost/cobbler_api")
./tests/special_cases/security_test.py:    cobbler_api = try_connect("http://localhost/cobbler_api")
./tests/special_cases/security_test.py:    cobbler_api = try_connect("http://localhost/cobbler_api")
./tests/test_data/V2_8_5/settings.yaml:# see http://yaml.org
./tests/test_data/V2_8_5/settings.yaml:# Func lives at http://fedorahosted.org/func
./tests/test_data/V2_8_5/settings.yaml:# accessable at http://cobbler.example.org/cblr/repo_mirror and yum
./tests/test_data/V2_8_5/settings.yaml:# eg: proxy_url_ext: "http://192.168.1.1:8080"
./tests/test_data/V2_8_5/settings.yaml:# eg: proxy_url_int: "http://10.0.0.1:8080"
./tests/test_data/V3_0_0/settings.yaml:# see http://yaml.org
./tests/test_data/V3_0_0/settings.yaml:# accessable at http://cobbler.example.org/cblr/repo_mirror and yum
./tests/test_data/V3_0_0/settings.yaml:  #http: http://192.168.1.1:8080
./tests/test_data/V3_0_0/settings.yaml:# eg: proxy_url_int: "http://10.0.0.1:8080"
./tests/test_data/V3_0_1/settings.yaml:# see http://yaml.org
./tests/test_data/V3_0_1/settings.yaml:# accessable at http://cobbler.example.org/cblr/repo_mirror and yum
./tests/test_data/V3_0_1/settings.yaml:  #http: http://192.168.1.1:8080
./tests/test_data/V3_0_1/settings.yaml:# eg: proxy_url_int: "http://10.0.0.1:8080"
./tests/test_data/V3_1_0/settings.yaml:# see http://yaml.org
./tests/test_data/V3_1_0/settings.yaml:# accessable at http://cobbler.example.org/cblr/repo_mirror and yum
./tests/test_data/V3_1_0/settings.yaml:  #http: http://192.168.1.1:8080
./tests/test_data/V3_1_0/settings.yaml:# eg: proxy_url_int: "http://10.0.0.1:8080"
./tests/test_data/V3_1_1/settings.yaml:# see http://yaml.org
./tests/test_data/V3_1_1/settings.yaml:# accessable at http://cobbler.example.org/cblr/repo_mirror and yum
./tests/test_data/V3_1_1/settings.yaml:  #http: http://192.168.1.1:8080
./tests/test_data/V3_1_1/settings.yaml:# eg: proxy_url_int: "http://10.0.0.1:8080"
./tests/test_data/V3_1_2/settings.yaml:# see http://yaml.org
./tests/test_data/V3_1_2/settings.yaml:# accessable at http://cobbler.example.org/cblr/repo_mirror and yum
./tests/test_data/V3_1_2/settings.yaml:# eg: proxy_url_ext: "http://192.168.1.1:8080" (HTTP)
./tests/test_data/V3_1_2/settings.yaml:# eg: proxy_url_int: "http://10.0.0.1:8080"
./tests/test_data/V3_2_0/settings.yaml:# see http://yaml.org
./tests/test_data/V3_2_0/settings.yaml:# accessable at http://cobbler.example.org/cblr/repo_mirror and yum
./tests/test_data/V3_2_0/settings.yaml:# eg: proxy_url_ext: "http://192.168.1.1:8080" (HTTP)
./tests/test_data/V3_2_0/settings.yaml:# eg: proxy_url_int: "http://10.0.0.1:8080"
./tests/test_data/V3_2_1/settings.yaml:# This config file is in YAML 1.2 format; see "http://yaml.org".
./tests/test_data/V3_2_1/settings.yaml:# accessable at http://cobbler.example.org/cblr/repo_mirror and yum
./tests/test_data/V3_2_1/settings.yaml:# Eg: "http://192.168.1.1:8080" (HTTP), "https://192.168.1.1:8443" (HTTPS)
./tests/test_data/V3_2_1/settings.yaml:# Eg: proxy_url_int: "http://10.0.0.1:8080"
./tests/test_data/V3_3_0/settings.yaml:# This config file is in YAML 1.2 format; see "http://yaml.org".
./tests/test_data/V3_3_0/settings.yaml:# accessable at http://cobbler.example.org/cblr/repo_mirror and yum
./tests/test_data/V3_3_0/settings.yaml:# Eg: "http://192.168.1.1:8080" (HTTP), "https://192.168.1.1:8443" (HTTPS)
./tests/test_data/V3_3_0/settings.yaml:# Eg: proxy_url_int: "http://10.0.0.1:8080"
./tests/test_data/V3_3_1/settings.yaml:# This config file is in YAML 1.2 format; see "http://yaml.org".
./tests/test_data/V3_3_1/settings.yaml:# accessable at http://cobbler.example.org/cblr/repo_mirror and yum
./tests/test_data/V3_3_1/settings.yaml:# Eg: "http://192.168.1.1:8080" (HTTP), "https://192.168.1.1:8443" (HTTPS)
./tests/test_data/V3_3_1/settings.yaml:# Eg: proxy_url_int: "http://10.0.0.1:8080"
./tests/test_data/settings_old:# see http://yaml.org
./tests/test_data/settings_old:# accessable at http://cobbler.example.org/cblr/repo_mirror and yum
./tests/test_data/settings_old:# eg: proxy_url_ext: "http://192.168.1.1:8080" (HTTP)
./tests/test_data/settings_old:# eg: proxy_url_int: "http://10.0.0.1:8080"
./tests/utils_test.py:    ("http://bla", True),
./tests/utils_test.py:    assert result == "http://127.0.0.1:80/cobbler_api"
./tests/utils_test.py:    assert result == "http://127.0.0.1:25151"
./tests/xmlrpcapi/conftest.py:    remote.modify_repo(repo, "mirror", "http://something", token)
./tests/xmlrpcapi/repo_test.py:    Creates a Repository "testrepo0" with a mirror "http://www.sample.com/path/to/some/repo" and the attribute
./tests/xmlrpcapi/repo_test.py:    remote.modify_repo(repo, "mirror", "http://www.sample.com/path/to/some/repo", token)
./tests/xmlrpcapi/repo_test.py:        assert remote.modify_repo(repo, "mirror", "http://www.sample.com/path/to/some/repo", token)
./tests/xmlrpcapi/miscellaneous_test.py:        repo_compatible = create_repo(name_repo_compatible, "http://localhost", False)
./tests/xmlrpcapi/miscellaneous_test.py:            name_repo_incompatible, "http://localhost", False
./tests/xmlrpcapi/miscellaneous_test.py:        kernel_options = "tree=http://@@http_server@@/cblr/links/@@distro_name@@"
./tests/validate_test.py:    ("http://test_invalid/test", False),
./tests/validate_test.py:    ("http://test§invalid/test", False),
./tests/validate_test.py:    ("http://test.local/test", True),
./tests/validate_test.py:    # ("http://test.local:80/test", True),
./tests/validate_test.py:    ("http://test/test", True),
./tests/validate_test.py:    ("http://@@server@@/test", True),
./tests/validate_test.py:    ("http://10.0.0.1/test", True),
./tests/validate_test.py:    ("http://fe80::989c:95ff:fe42:47bf/test", True),
./tests/validate_test.py:    ("http://test.local/test", False),
./tests/validate_test.py:    ("http://test/test", False),


I found the following groups:

    Repository mirror related: Hosting repository mirrors per default with HTTPS is not even done for the openSUSE Leap repositories. While it is technically possible, it is hard to do as all systems need to trust the certificate used by the mirror. Additionally we do accept (./cobbler/items/repo.py) HTTPS mirror URLs.
    Autoinstallation related: The only way to enable HTTPS here is if all components involved do support embedding an SSL certificate. This would be: firmware, GRUB, system installers & the os itself. Since I cannot guarantee that the firmware supports adding custom SSL certificates with all hardware used together with Cobbler, I cannot make this the default. Achieving HTTP Boot is (as simple as it is) not done. Many people still execute PXE installations (which is even more unsecure).
    supervisord API: Is not setup per default with HTTPS and thus we cannot assume that it is available. Communication is additionally only done via localhost.
    XML Namespaces: They are served via HTTP in most cases if I am not mistaken. Same reasoning as at "Autoinstallation related"
    Documentation: Irrelevant as this is not code which is able to be executed.
    Settings: These are meant for reasonable defaults. Uyuni/SUSE Manager does not make use of the proxy settings which are set to HTTP per default. I cannot assume that the proxy is able to talk HTTPS and I don't see a way of auto-determining if a proxy speaks HTTP or HTTPS.
    Test data: irrelevant because never deployed to customers.

TLDR: I don't see any chance to make HTTPS anywhere the default. The patch I have locally fixes some documentation and code URLs.

Long-Term what we can try (out-of-scope for this CVE imho) is, that we refactor the URL generation and then have a central place where we can control this. However this is also hard in regard to the fact that in the templates we have Python functions available but they don't have to be used. People can just hardcode an HTTP URL in there and destroy all our efforts.
Comment 5 Paolo Perego 2022-02-03 10:31:10 UTC
For this issue me and Enno agreed that we need some more time to elaborate a good strategy for this.
Comment 6 Thomas Leroy 2022-02-04 11:21:01 UTC
We have matches for "http://" in every maintained codestreams of Cobbler. Moreover, we also have matches in Koan, so it seems that this package will also require a fix this time. 
Independent of the correction that will given (or not), the following codestreams will be affected:

Cobbler:
- SUSE:SLE-11-SP3:Update/cobbler	
- SUSE:SLE-11-SP3:Update:Products:ManagerToolsBeta:Update/cobbler
- SUSE:SLE-12:Update/cobbler
- SUSE:SLE-12:Update:Products:ManagerToolsBeta:Update/cobbler 	
- SUSE:SLE-15-SP2:Update:Products:Manager41:Update/cobbler	
- SUSE:SLE-15-SP3:Update:Products:Manager42:Update/cobbler	
- SUSE:SLE-15-SP4:Update:Products:Manager43:Update/cobbler
- openSUSE:Factory/cobbler
- openSUSE:Backports:SLE-15-SP3/cobbler
- openSUSE:Backports:SLE-15-SP4:Update/cobbler

Koan:
- openSUSE:Factory
- SUSE:SLE-15:Update	
- SUSE:SLE-15:Update:Products:ManagerToolsBeta:Update
Comment 8 Alexander Graul 2022-02-16 14:15:02 UTC
Hi Paolo,

What was the agreement between you and Enno on this one (CVE-2021-45081)? As far as I know, we have no patches ready for this CVE (only for CVE-2021-45082 and CVE-2021-45083).
Comment 9 Paolo Perego 2022-02-16 14:19:03 UTC
Hi Alexander, this is correct.

As I agreed with Enno, fixing this CVE requires more effort and some more time to figure it out an elegant way to provide an HTTPS only scenario.
So this CVE will be disclosed but not fixed at the moment (it's not that risky).
Comment 10 Thomas Leroy 2022-08-29 14:53:35 UTC
(In reply to Paolo Perego from comment #9)
> Hi Alexander, this is correct.
> 
> As I agreed with Enno, fixing this CVE requires more effort and some more
> time to figure it out an elegant way to provide an HTTPS only scenario.
> So this CVE will be disclosed but not fixed at the moment (it's not that
> risky).

Hi Paolo, do you have any solution to fix this bug?
Comment 11 Paolo Perego 2022-08-29 15:53:42 UTC
(In reply to Thomas Leroy from comment #10)
> (In reply to Paolo Perego from comment #9)
> > Hi Alexander, this is correct.
> > 
> > As I agreed with Enno, fixing this CVE requires more effort and some more
> > time to figure it out an elegant way to provide an HTTPS only scenario.
> > So this CVE will be disclosed but not fixed at the moment (it's not that
> > risky).
> 
> Hi Paolo, do you have any solution to fix this bug?

Hi Thomas, no at the moment there is no solution for this bug.
Comment 12 Enno Gotthold 2022-08-31 08:16:38 UTC
I pinged Paolo on GitHub, to discuss further steps for this CVE. It is technically impossible to fix this in the way it was intended by the CVE description, still I will try to do my best to improve security. So this will be now actively worked on again.