Bug 989738 (CVE-2013-4111)

Summary: CVE-2013-4111 OpenStack: python-glanceclient failing SSL certificate check
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aortega, apevec, apevec, ayoung, chrisw, eglynn, fpercoco, gkotton, gmollett, iheim, Jan.van.Eldik, jose.castro.leon, jrusnack, jruzicka, markmc, p, rbryant, rhos-maint, sclewis, security-response-team, yeylon, yrabl
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-11-06 05:42:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 994838, 994839, 994840, 994841, 994842    
Bug Blocks: 989759    

Description Kurt Seifried 2013-07-29 19:52:24 UTC 
Thierry Carrez (thierry) reports:

A vulnerability was fixed publicly in OpenStack Python Glance client
recently, and we think it warrants a security advisory to make sure
everyone is aware of it.

We obviously can't embargo anything here since the issue is public
already, but we figured you would still appreciate a day heads-up
before we publish the advisory and attract the rest of the world
attention on the issue.

Title: Missing SSL certificate check in Python glance client
Reporter: Thomas Leaman (HP)
Products: python-glanceclient
Affects: All versions

Description:
Thomas Leaman from HP reported that the Python Glance client was
failing to properly check certificates during the establishment of
HTTPS connections. A remote attacker with access over segments of the
network between client and server could potentially set up a man-in
the-middle attack and access the contents of the Glance client request
(or response).

python-glanceclient fix (will be included in future release):
https://review.openstack.org/#/c/33464/ 

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4111 
https://bugs.launchpad.net/python-glanceclient/+bug/1192229
Comment 2 Kurt Seifried 2013-07-31 08:06:02 UTC 
This is officially public now: http://openwall.com/lists/oss-security/2013/07/30/11
Comment 3 Murray McAllister 2013-09-03 07:37:56 UTC 
Acknowledgements:

Red Hat would like to thank the OpenStack project for reporting this issue. Upstream acknowledges Thomas Leaman of HP as the original reporter.
Comment 4 errata-xmlrpc 2013-09-03 20:18:29 UTC 
This issue has been addressed in following products:

  OpenStack 3 for RHEL 6

Via RHSA-2013:1200 https://rhn.redhat.com/errata/RHSA-2013-1200.html
Comment 5 Fedora Update System 2013-11-14 03:34:00 UTC 
python-glanceclient-0.9.0-3.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.