Bug 851672 - (CVE-2012-3533) CVE-2012-3533 ovirt 3.1: does not validate server identity in new python SDK and CLI
CVE-2012-3533 ovirt 3.1: does not validate server identity in new python SDK ...
Status: ON_QA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20120815,repor...
: Security
Depends On: 851674
Blocks:
  Show dependency treegraph
 
Reported: 2012-08-24 12:30 EDT by Vincent Danen
Modified: 2015-07-31 06:01 EDT (History)
3 users (show)

See Also:
Fixed In Version: ovirt-engine-sdk-python-3.4.0.7-1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
oVirt gerrit 26271 None None None Never
oVirt gerrit 26815 None None None Never

  None (edit)
Description Vincent Danen 2012-08-24 12:30:14 EDT
It was reported that oVirt 3.1 did not properly validate SSL certificates of the server when the client would connect.  This could permit man-in-the-middle attacks.

In oVirt sdk, the python httplib.HTTPSConnection function is used to let the programmer specify the client's pair of certificates, but does not force the underlying SSL library to check the server certificate against the client keys.

Because of this, the oVirt CLI tool does not check certificates upon connection.

The new python SDK (ovirt-engine-sdk) and new python CLI (ovirt-engine-cli) were introduced in oVirt 3.1 [1] ; earlier versions are not affected by this flaw.

This has been corrected in upstream git for the sdk [2] and the cli [3].

[1] http://wiki.ovirt.org/wiki/Release_Notes#Interfaces
[2] http://gerrit.ovirt.org/#/c/7209/
[3] http://gerrit.ovirt.org/#/c/7249/
Comment 1 Vincent Danen 2012-08-24 12:38:44 EDT
Created ovirt-engine tracking bugs for this issue

Affects: fedora-all [bug 851674]
Comment 3 Michael Pasternak 2012-08-26 03:41:12 EDT
Fix for the mentioned issue available in:

sdk: 3.1.0.6
cli: 3.1.0.8
Comment 4 Juan Hernández 2014-04-16 05:11:17 EDT
The check of the host name has been added in upstream release 3.4.0.7 of the Python SDK. The CLI doesn't need any modification. Packages containing the fixes are available here:

  http://jhernand.fedorapeople.org/rpms/ovirt-engine-sdk-python/3.4.0.7-1

Updates for Fedora 19, Fedora 20, and EPEL 6 are available here:

  https://admin.fedoraproject.org/updates/ovirt-engine-sdk-python-3.4.0.7-1.fc19
  https://admin.fedoraproject.org/updates/ovirt-engine-sdk-python-3.4.0.7-1.fc20
  https://admin.fedoraproject.org/updates/ovirt-engine-sdk-python-3.4.0.7-1.el6

Note You need to log in before you can comment on or make changes to this bug.