Bug 1208602 (CVE-2015-1816)
Summary: | CVE-2015-1816 foreman: lack of SSL certificate validation when performing LDAPS authentication | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vasyl Kaigorodov <vkaigoro> | ||||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||
Status: | CLOSED ERRATA | QA Contact: | |||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | medium | ||||||||
Version: | unspecified | CC: | abaron, aortega, apevec, ayoung, bkearney, chrisw, cpelland, cperry, dallan, gkotton, gmollett, jrusnack, katello-bugs, lhh, lpeer, markmc, mburns, mmccune, ohadlevy, rbryant, rhos-maint, sclewis, tjay, yeylon | ||||||
Target Milestone: | --- | Keywords: | Security | ||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | foreman 1.7.4 | Doc Type: | Bug Fix | ||||||
Doc Text: |
It was found that when making an SSL connection to an LDAP authentication source in Foreman, the remote server certificate was accepted without any verification against known certificate authorities, potentially making TLS connections vulnerable to man-in-the-middle attacks.
|
Story Points: | --- | ||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2016-02-22 02:20:26 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | 1194393 | ||||||||
Bug Blocks: | 1145400, 1208603, 1253077 | ||||||||
Attachments: |
|
Description
Vasyl Kaigorodov
2015-04-02 16:09:55 UTC
Created attachment 1010546 [details] CVE-2015-1816 patch Created attachment 1010547 [details] CVE-2015-1816 monkey patch for older versions Pull request: https://github.com/theforeman/foreman/pull/2265 This issue has been addressed in the following products: Red Hat Satellite 6.1 Via RHSA-2015:1591 https://access.redhat.com/errata/RHSA-2015:1591 This issue has been addressed in the following products: Red Hat Satellite 6.1 Via RHSA-2015:1592 https://access.redhat.com/errata/RHSA-2015:1592 |