Bug 528890 – CVE-2009-3552 RHEV-M VDC - GUI: Man in the middle attack possible on the GUI to Backend SSL connection

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 528890 - (CVE-2009-3552) CVE-2009-3552 RHEV-M VDC - GUI: Man in the middle attack possible on the GUI to Backend SSL connection

Summary:	CVE-2009-3552 RHEV-M VDC - GUI: Man in the middle attack possible on the GUI ...

Status:	NEW

Aliases:	CVE-2009-3552

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Windows

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,source=redhat,reporte...
Keywords:	Security

Depends On:	532034
Blocks:
	Show dependency tree / graph

Reported:	2009-10-14 04:41 EDT by Yaniv Kaul
Modified:	2016-04-18 03:15 EDT (History)
CC List:	8 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	We'll need release notes on how to 'upgrade' from a 2.2.0 without HTTPS to 2.2.2 with HTTPS. 1. We should update the documentation (not release notes) that the default should now be https://... - with additional instructions on installing the RHEVM CA certificate. 2. If you've already used HTTP, you will need to erase the cookie(s) (called RHEVManager/) from IE (and restart IE). The next time you'll go to https://<rhevm>/RHEVManager, you'll get the additional prompt to install the RHEVM CA certificate. Once you've done that, after you restart IE (again) and go to https://<rhevm>/RHEVManager, everybody will be happy.
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2010:0613	normal	SHIPPED_LIVE	Moderate: Red Hat Enterprise Virtualization Manager security update	2010-08-19 17:38:21 EDT

Groups: None (edit)

Comment 8 Petr Matousek 2010-08-19 17:34:33 EDT

It was found that the SSL certificate was not verified when using the 
client-side Red Hat Enterprise Virtualization Manager interface (a Windows 
Presentation Foundation (WPF) XAML browser application) to connect to the Red 
Hat Enterprise Virtualization Manager. An attacker on the local network could 
use this flaw to conduct a man-in-the-middle attack, tricking the user into 
thinking they are viewing the Red Hat Enterprise Virtualization Manager when the 
content is actually attacker-controlled, or modifying actions a user requested 
Red Hat Enterprise Virtualization Manager to perform.

Comment 9 errata-xmlrpc 2010-08-19 17:38:25 EDT

This issue has been addressed in following products:



Via RHSA-2010:0613 https://rhn.redhat.com/errata/RHSA-2010-0613.html

Note You need to log in before you can comment on or make changes to this bug.