Bug 924514 (CVE-2013-2255)
Summary: | CVE-2013-2255 openstack-*: Inconsistent and non-validating HTTPS client | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Grant Murphy <gmurphy> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | abaron, aortega, apevec, ayoung, chrisw, dallan, dpal, gkotton, gmollett, jkt, jlennox, jlieskov, kseifried, markmc, mjc, rbryant, sclewis |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-03-06 04:58:22 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 984679, 984680, 984681, 984682, 995314, 995315, 995316, 995317, 995318, 995319 | ||
Bug Blocks: | 971043, 971675 |
Description
Grant Murphy
2013-03-21 23:59:29 UTC
(In reply to Grant Murphy from comment #0) Thank you for your report, Grant. > Description: > > The following files use httplib.HTTPSConnection : > > keystone/middleware/s3_token.py > keystone/middleware/ec2_token.py > keystone/common/bufferedhttp.py > vendor/python-keystoneclient-master/keystoneclient/middleware/auth_token.py > > > AFAICT HTTPSConnection does not validate server certificates and should be > avoided. This is fixed in Python 3, however in 2.X no validation occurs. I > suspect this is also applicable to most OpenStack modules that make HTTPS > client calls. Have you reported this issue upstream already? Or should we do? Thanks && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team This bug also appears to exists within several other openstack components upstream: cinder/cinder/volume/drivers/zadara.py: connection = httplib.HTTPSConnection(self.host, self.port) cinder/cinder/volume/drivers/solidfire.py: connection = httplib.HTTPSConnection(host, port) keystone/keystone/middleware/ec2_token.py: conn = httplib.HTTPSConnection(o.netloc) keystone/keystone/middleware/s3_token.py: self.http_client_class = httplib.HTTPSConnection keystone/keystone/common/bufferedhttp.py: If ssl is set True, HTTPSConnection will be used. However, if ssl=False, keystone/keystone/common/bufferedhttp.py: If ssl is set True, HTTPSConnection will be used. However, if ssl=False, keystone/keystone/common/bufferedhttp.py: conn = httplib.HTTPSConnection( nova/nova/virt/vmwareapi/read_write_util.py: conn = httplib.HTTPSConnection(netloc) nova/nova/api/ec2/__init__.py: conn = httplib.HTTPSConnection(o.netloc) nova/nova/scheduler/filters/trusted_filter.py:class HTTPSClientAuthConnection(httplib.HTTPSConnection): nova/nova/scheduler/filters/trusted_filter.py: httplib.HTTPSConnection.__init__(self, host, nova/plugins/xenserver/xenapi/etc/xapi.d/plugins/glance: conn = httplib.HTTPSConnection(glance_host, glance_port) nova/plugins/xenserver/xenapi/etc/xapi.d/plugins/pluginlib_nova.py: httplib.HTTPSConnection(netloc) or quantum/quantum/plugins/bigswitch/plugin.py: conn = httplib.HTTPSConnection( quantum/quantum/plugins/nec/common/ofc_client.py: return httplib.HTTPSConnection quantum/quantum/plugins/nicira/api_client/common.py: if isinstance(conn, httplib.HTTPSConnection): quantum/quantum/plugins/nicira/api_client/client.py: return httplib.HTTPSConnection(host, port, quantum/quantum/plugins/nicira/api_client/client.py: is_ssl = isinstance(http_conn, httplib.HTTPSConnection) swift/swift/common/bufferedhttp.py: HTTPResponse, HTTPSConnection, _UNKNOWN swift/swift/common/bufferedhttp.py: HTTPSConnection will be used. However, if ssl=False, BufferedHTTPConnection swift/swift/common/bufferedhttp.py: HTTPSConnection will be used. However, if ssl=False, BufferedHTTPConnection swift/swift/common/bufferedhttp.py: conn = HTTPSConnection('%s:%s' % (ipaddr, port)) Changing this to an SRT bug as if affects more than just keystone and is now public. Created openstack-keystone tracking bugs for this issue: Affects: fedora-all [bug 984679] Affects: epel-6 [bug 984681] Created python-keystoneclient tracking bugs for this issue: Affects: fedora-all [bug 984680] Affects: epel-6 [bug 984682] *** Bug 971674 has been marked as a duplicate of this bug. *** Statement: The Red Hat Security Response Team has rated this issue as having Moderate security impact in RedHat Enterprise OpenStack Platform 3 however fixing this issue would require a change to default behavior. This issue is not currently planned to be addressed in future updates. This issue did not affect the versions of openstack-keystone or python-keystone client as shipped with RedHat Enterprise OpenStack Platform 4. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. |