Bug 1143808 (CVE-2014-7144)

Summary: CVE-2014-7144 python-keystoneclient: TLS certificate verification disabled
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aavati, abaron, aortega, apevec, apevec, ayoung, chazlett, chrisw, dallan, gkotton, gmollett, jose.castro.leon, jrusnack, jruzicka, lhh, lpeer, markmc, nkinder, nlevinki, pablo.iranzo, poelstra, rbryant, rfortier, rhs-bugs, sclewis, security-response-team, smohan, ssaha, vbellur, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
It was found that python-keystoneclient treated all settings in paste.ini files as string types. If the "insecure" option were set to any value in a paste.ini configuration file, it would be evaluated as true, resulting in TLS connections being vulnerable to man-in-the-middle attacks.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-01-08 19:10:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1143809, 1143810, 1148340, 1148341, 1148342, 1152381    
Bug Blocks: 1143811    

Description Murray McAllister 2014-09-18 04:12:18 UTC 
The OpenStack project reports:

""
Title: TLS cert verification option not honoured in paste configs
Reporter: Qin Zhao (IBM)
Products: keystonemiddleware, python-keystoneclient
Versions: versions up to 1.1.1 (keystonemiddleware), versions up to 0.10.1
(python-keystoneclient)

Description:
Qin Zhao from IBM reported a vulnerability in keystonemiddleware (formerly
shipped as python-keystoneclient). When the 'insecure' SSL option is set in 
a paste configuration file it is effectively ignored, regardless of its 
value.  As a result certificate verification will be disabled, leaving TLS
connections open to MITM attacks. All versions of keystonemiddleware with
TLS settings configured via a paste.ini file are affected by this flaw.
""

Upstream fix:

https://review.openstack.org/#/c/112232/

References:
http://launchpad.net/bugs/1353315
http://www.openwall.com/lists/oss-security/2014/09/17/3
Comment 2 Murray McAllister 2014-09-18 04:16:40 UTC 
Created python-keystoneclient tracking bugs for this issue:

Affects: fedora-all [bug 1143809]
Comment 4 Murray McAllister 2014-09-25 04:11:20 UTC 
MITRE assigned CVE-2014-7144 to this issue:

http://seclists.org/oss-sec/2014/q3/628
Comment 5 Murray McAllister 2014-09-26 02:55:17 UTC 
OpenStack's advisory:

http://seclists.org/oss-sec/2014/q3/731
Comment 13 errata-xmlrpc 2014-11-03 08:40:40 UTC 
This issue has been addressed in the following products:

  OpenStack 5 for RHEL 7

Via RHSA-2014:1784 https://rhn.redhat.com/errata/RHSA-2014-1784.html
Comment 14 errata-xmlrpc 2014-11-03 08:40:54 UTC 
This issue has been addressed in the following products:

  OpenStack 5 for RHEL 6

Via RHSA-2014:1783 https://rhn.redhat.com/errata/RHSA-2014-1783.html
Comment 16 errata-xmlrpc 2015-01-08 18:05:21 UTC 
This issue has been addressed in the following products:

  OpenStack 4 for RHEL 6

Via RHSA-2015:0020 https://rhn.redhat.com/errata/RHSA-2015-0020.html