Bug 1429632 (CVE-2017-2639) - CVE-2017-2639 CloudForms: cloudforms fails to properly check certificates when communicating with RHEV and OpenShift and custom CA
Summary: CVE-2017-2639 CloudForms: cloudforms fails to properly check certificates whe...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2017-2639
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1429633 1429634
Blocks: 1429637
TreeView+ depends on / blocked
 
Reported: 2017-03-06 17:43 UTC by Kurt Seifried
Modified: 2019-09-29 14:08 UTC (History)
16 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
It was found that CloudForms does not verify that the server hostname matches the domain name in the certificate when using a custom CA and communicating with Red Hat Virtualization (RHEV) and OpenShift. This would allow an attacker to spoof RHEV or OpenShift systems and potentially harvest sensitive information from CloudForms.
Clone Of:
Environment:
Last Closed: 2019-06-08 03:08:45 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:1367 0 normal SHIPPED_LIVE Moderate: CFME 5.8.0 security, bug, and enhancement update 2017-05-31 18:16:03 UTC

Description Kurt Seifried 2017-03-06 17:43:55 UTC
Cloudforms fails to properly validate SSL/TLS certificates when communicating with RHEV and OpenShift and using a custom CA.

Comment 3 errata-xmlrpc 2017-05-31 14:39:01 UTC
This issue has been addressed in the following products:

  CloudForms Management Engine 5.8

Via RHSA-2017:1367 https://access.redhat.com/errata/RHSA-2017:1367


Note You need to log in before you can comment on or make changes to this bug.