Bug 1429632 – CVE-2017-2639 CloudForms: cloudforms fails to properly check certificates when communicating with RHEV and OpenShift and custom CA

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1429632 - (CVE-2017-2639) CVE-2017-2639 CloudForms: cloudforms fails to properly check certificates when communicating with RHEV and OpenShift and custom CA

Summary:	CVE-2017-2639 CloudForms: cloudforms fails to properly check certificates whe...

Status:	NEW

Aliases:	CVE-2017-2639

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20170531,repor...
Keywords:	Security

Depends On:	1429633 1429634
Blocks:	1429637
	Show dependency tree / graph

Reported:	2017-03-06 12:43 EST by Kurt Seifried
Modified:	2018-06-29 18:19 EDT (History)
CC List:	17 users (show)

See Also:
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	It was found that CloudForms does not verify that the server hostname matches the domain name in the certificate when using a custom CA and communicating with Red Hat Virtualization (RHEV) and OpenShift. This would allow an attacker to spoof RHEV or OpenShift systems and potentially harvest sensitive information from CloudForms.
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2017:1367	normal	SHIPPED_LIVE	Moderate: CFME 5.8.0 security, bug, and enhancement update	2017-05-31 14:16:03 EDT

Groups: None (edit)

Description Kurt Seifried 2017-03-06 12:43:55 EST

Cloudforms fails to properly validate SSL/TLS certificates when communicating with RHEV and OpenShift and using a custom CA.

Comment 3 errata-xmlrpc 2017-05-31 10:39:01 EDT

This issue has been addressed in the following products:

  CloudForms Management Engine 5.8

Via RHSA-2017:1367 https://access.redhat.com/errata/RHSA-2017:1367

Note You need to log in before you can comment on or make changes to this bug.