Bug 924514 (CVE-2013-2255) - CVE-2013-2255 openstack-*: Inconsistent and non-validating HTTPS client
Summary: CVE-2013-2255 openstack-*: Inconsistent and non-validating HTTPS client
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: CVE-2013-2255
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 971674 (view as bug list)
Depends On: 984679 984680 984681 984682 995314 995315 995316 995317 995318 995319
Blocks: 971043 971675
TreeView+ depends on / blocked
 
Reported: 2013-03-21 23:59 UTC by Grant Murphy
Modified: 2021-02-17 07:53 UTC (History)
17 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-03-06 04:58:22 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Launchpad 1188189 0 None None None Never

Description Grant Murphy 2013-03-21 23:59:29 UTC 
Description: 

The following files use httplib.HTTPSConnection : 

keystone/middleware/s3_token.py
keystone/middleware/ec2_token.py
keystone/common/bufferedhttp.py
vendor/python-keystoneclient-master/keystoneclient/middleware/auth_token.py


AFAICT HTTPSConnection does not validate server certificates and should be avoided. This is fixed in Python 3, however in 2.X no validation occurs. I suspect this is also applicable to most OpenStack modules that make HTTPS client calls.
Comment 2 Jan Lieskovsky 2013-05-23 09:33:50 UTC 
(In reply to Grant Murphy from comment #0)

Thank you for your report, Grant.

> Description: 
> 
> The following files use httplib.HTTPSConnection : 
> 
> keystone/middleware/s3_token.py
> keystone/middleware/ec2_token.py
> keystone/common/bufferedhttp.py
> vendor/python-keystoneclient-master/keystoneclient/middleware/auth_token.py
> 
> 
> AFAICT HTTPSConnection does not validate server certificates and should be
> avoided. This is fixed in Python 3, however in 2.X no validation occurs. I
> suspect this is also applicable to most OpenStack modules that make HTTPS
> client calls.

Have you reported this issue upstream already? Or should we do?

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
Comment 3 Grant Murphy 2013-06-06 02:48:10 UTC 
This bug also appears to exists within several other openstack components upstream: 

cinder/cinder/volume/drivers/zadara.py:            connection = httplib.HTTPSConnection(self.host, self.port)
cinder/cinder/volume/drivers/solidfire.py:            connection = httplib.HTTPSConnection(host, port)
keystone/keystone/middleware/ec2_token.py:            conn = httplib.HTTPSConnection(o.netloc)
keystone/keystone/middleware/s3_token.py:            self.http_client_class = httplib.HTTPSConnection
keystone/keystone/common/bufferedhttp.py:    If ssl is set True, HTTPSConnection will be used. However, if ssl=False,
keystone/keystone/common/bufferedhttp.py:    If ssl is set True, HTTPSConnection will be used. However, if ssl=False,
keystone/keystone/common/bufferedhttp.py:        conn = httplib.HTTPSConnection(
nova/nova/virt/vmwareapi/read_write_util.py:            conn = httplib.HTTPSConnection(netloc)
nova/nova/api/ec2/__init__.py:            conn = httplib.HTTPSConnection(o.netloc)
nova/nova/scheduler/filters/trusted_filter.py:class HTTPSClientAuthConnection(httplib.HTTPSConnection):
nova/nova/scheduler/filters/trusted_filter.py:        httplib.HTTPSConnection.__init__(self, host,
nova/plugins/xenserver/xenapi/etc/xapi.d/plugins/glance:            conn = httplib.HTTPSConnection(glance_host, glance_port)
nova/plugins/xenserver/xenapi/etc/xapi.d/plugins/pluginlib_nova.py:            httplib.HTTPSConnection(netloc) or
quantum/quantum/plugins/bigswitch/plugin.py:            conn = httplib.HTTPSConnection(
quantum/quantum/plugins/nec/common/ofc_client.py:            return httplib.HTTPSConnection
quantum/quantum/plugins/nicira/api_client/common.py:    if isinstance(conn, httplib.HTTPSConnection):
quantum/quantum/plugins/nicira/api_client/client.py:            return httplib.HTTPSConnection(host, port,
quantum/quantum/plugins/nicira/api_client/client.py:        is_ssl = isinstance(http_conn, httplib.HTTPSConnection)
swift/swift/common/bufferedhttp.py:    HTTPResponse, HTTPSConnection, _UNKNOWN
swift/swift/common/bufferedhttp.py:    HTTPSConnection will be used. However, if ssl=False, BufferedHTTPConnection
swift/swift/common/bufferedhttp.py:    HTTPSConnection will be used. However, if ssl=False, BufferedHTTPConnection
swift/swift/common/bufferedhttp.py:        conn = HTTPSConnection('%s:%s' % (ipaddr, port))
Comment 6 Vincent Danen 2013-07-15 16:29:26 UTC 
Changing this to an SRT bug as if affects more than just keystone and is now public.
Comment 7 Vincent Danen 2013-07-15 16:47:47 UTC 
Created openstack-keystone tracking bugs for this issue:

Affects: fedora-all [bug 984679]
Affects: epel-6 [bug 984681]
Comment 8 Vincent Danen 2013-07-15 16:48:11 UTC 
Created python-keystoneclient tracking bugs for this issue:

Affects: fedora-all [bug 984680]
Affects: epel-6 [bug 984682]
Comment 9 Kurt Seifried 2013-08-08 02:48:15 UTC 
https://bugs.launchpad.net/keystone/+bug/1188189
Comment 10 Kurt Seifried 2013-08-08 02:48:39 UTC 
*** Bug 971674 has been marked as a duplicate of this bug. ***
Comment 14 Garth Mollett 2014-03-06 04:58:22 UTC 
Statement:

The Red Hat Security Response Team has rated this issue as having Moderate security impact in RedHat Enterprise OpenStack Platform 3 however fixing this issue would require a change to default behavior. This issue is not currently planned to be addressed in future updates. 

This issue did not affect the versions of openstack-keystone or python-keystone client as shipped with RedHat Enterprise OpenStack Platform 4.

For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Note You need to log in before you can comment on or make changes to this bug.