Описание
The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument.
Отчет
This issue did not affect the versions of python-urllib3 as shipped with Red Hat Enterprise Linux 6, and 7 as the older code shipped there did not load the system certificates. Red Hat Satellite 6.2 is on Maintenance Support 2 phase, hence only selected Critical and Important issues will be fixed. Please refer to Red Hat Satellite Product Life Cycle page for more information. In Red Hat OpenStack Platform 13, because the flaw has a lower impact and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP python-urllib3 package.
Меры по смягчению последствий
The urllib3 package is used by elastic-curator, which is deployed in the ose-logging-curator, and used by the optional logging feature in OpenShift Container Platform (OCP). Therefore OCP 3.11 users can mitigate this issue by not deploying and using the Curator logging feature. In OCP 4 urllib3 is also used by several Ansible Play Book images built with the Operator SDK and available for installation in OCP 4 including openshift-enterprise-ansible-operator and ose-metering-ansible-operator. Therefore those operators should not be deployed in order to mitigate this issue in OCP 4.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | python-urllib3 | Not affected | ||
| Red Hat Enterprise Linux 7 | python-urllib3 | Not affected | ||
| Red Hat Enterprise Linux 7 | python-virtualenv | Not affected | ||
| Red Hat Enterprise Linux 8 | python36:3.6/python-virtualenv | Not affected | ||
| Red Hat OpenShift Container Platform 3.10 | python-urllib3 | Out of support scope | ||
| Red Hat OpenShift Container Platform 3.11 | python-urllib3 | Will not fix | ||
| Red Hat OpenShift Container Platform 3.6 | python-urllib3 | Out of support scope | ||
| Red Hat OpenShift Container Platform 3.7 | python-urllib3 | Out of support scope | ||
| Red Hat OpenShift Container Platform 3.9 | python-urllib3 | Out of support scope | ||
| Red Hat OpenStack Platform 10 (Newton) | python-urllib3 | Not affected |
Показывать по
Дополнительная информация
Статус:
7.5 High
CVSS3
Связанные уязвимости
The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument.
The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument.
The urllib3 library before 1.24.2 for Python mishandles certain cases ...
Уязвимость модуля urllib3 интерпретатора языка программирования Python, связанная с ошибками процедуры подтверждения подлинности сертификата, позволяющая нарушителю установить SSL-соединение
7.5 High
CVSS3