Bug 1892551 (CVE-2020-25688)
| Summary: | CVE-2020-25688 rhacm: certificate re-use in grcuiapi and topologyapi | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Doran Moppert <dmoppert> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | cqu, ecai, gghezzo, gparvin, jramanat, jweiser, security-response-team, stcannon, thee |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | rhacm 2.0.5, rhacm 2.1.0 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in rhacm. Two internal service APIs were incorrectly provisioned using a test certificate from the source repository which resulted in all installations using the same certificates. If an attacker could observe network traffic internal to a cluster, they could use the private key to decode API requests that should be protected by TLS sessions, and potentially obtaining information they would not otherwise be able to. The highest threat from this vulnerability is to data confidentiality.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-10-28 05:04:19 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1862477, 1893081, 1893082 | ||
| Bug Blocks: | 1891712 | ||
|
Description
Doran Moppert
2020-10-29 06:34:49 UTC
|