Описание
The s3_token middleware in OpenStack keystonemiddleware before 1.6.0 and python-keystoneclient before 1.4.0 disables certification verification when the "insecure" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate, a different vulnerability than CVE-2014-7144.
It was discovered that some items in the S3Token paste configuration as used by python-keystonemiddleware (formerly python-keystoneclient) were incorrectly evaluated as strings, an issue similar to CVE-2014-7144. If the "insecure" option were set to "false", the option would be evaluated as true, resulting in TLS connections being vulnerable to man-in-the-middle attacks.
Note: the "insecure" option defaults to false, so setups that do not specifically define "insecure=false" are not affected.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux OpenStack Platform 7 (Kilo) | python-keystoneclient | Not affected | ||
| Red Hat Enterprise Linux OpenStack Platform 7 (Kilo) | python-keystonemiddleware | Not affected | ||
| Red Hat OpenStack Platform 4 | python-keystoneclient | Will not fix | ||
| Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6 | python-keystoneclient | Fixed | RHSA-2015:1685 | 25.08.2015 |
| Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7 | python-keystoneclient | Fixed | RHSA-2015:1685 | 25.08.2015 |
| Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7 | python-keystoneclient | Fixed | RHSA-2015:1677 | 24.08.2015 |
| Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7 | python-keystonemiddleware | Fixed | RHSA-2015:1677 | 24.08.2015 |
Показывать по
Дополнительная информация
Статус:
6.8 Medium
CVSS2
Связанные уязвимости
The s3_token middleware in OpenStack keystonemiddleware before 1.6.0 and python-keystoneclient before 1.4.0 disables certification verification when the "insecure" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate, a different vulnerability than CVE-2014-7144.
The s3_token middleware in OpenStack keystonemiddleware before 1.6.0 and python-keystoneclient before 1.4.0 disables certification verification when the "insecure" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate, a different vulnerability than CVE-2014-7144.
The s3_token middleware in OpenStack keystonemiddleware before 1.6.0 a ...
6.8 Medium
CVSS2