A vulnerability was found in Red Hat CloudForms which allows a malicious attacker to impersonate any user or create a non-existent user with any entitlement in the appliance and perform an API request.
Red Hat recommends upgrading to secured released versions, however, this flaw can be mitigated by unseting RequestHeader in http configuration. Mitigation steps would be:
1. Stop httpd service
$ systemctl stop httpd
2. Add following additional unset at /etc/httpd/conf.d/manageiq-remote-user-openidc.conf
and /etc/httpd/conf.d/manageiq-remote-user.conf
, right before X_REMOTE_USER
unset.
RequestHeader unset X-REMOTE-USER
RequestHeader unset X-REMOTE_USER
RequestHeader unset X_REMOTE-USER
3. Validate configuration files to make sure all syntax is valid
$ apachectl configtest
4. Restart httpd service
$ systemctl start httpd