Bug 1143808 (CVE-2014-7144) - CVE-2014-7144 python-keystoneclient: TLS certificate verification disabled
Summary: CVE-2014-7144 python-keystoneclient: TLS certificate verification disabled
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-7144
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1143809 1143810 1148340 1148341 1148342 1152381
Blocks: 1143811
TreeView+ depends on / blocked
 
Reported: 2014-09-18 04:12 UTC by Murray McAllister
Modified: 2021-02-17 06:12 UTC (History)
30 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was found that python-keystoneclient treated all settings in paste.ini files as string types. If the "insecure" option were set to any value in a paste.ini configuration file, it would be evaluated as true, resulting in TLS connections being vulnerable to man-in-the-middle attacks.
Clone Of:
Environment:
Last Closed: 2015-01-08 19:10:48 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:1783 0 normal SHIPPED_LIVE Moderate: python-keystoneclient security and bug fix update 2014-11-03 13:36:52 UTC
Red Hat Product Errata RHSA-2014:1784 0 normal SHIPPED_LIVE Moderate: python-keystoneclient security and bug fix update 2014-11-03 13:36:46 UTC
Red Hat Product Errata RHSA-2015:0020 0 normal SHIPPED_LIVE Moderate: python-keystoneclient security update 2015-01-08 23:05:03 UTC

Description Murray McAllister 2014-09-18 04:12:18 UTC 
The OpenStack project reports:

""
Title: TLS cert verification option not honoured in paste configs
Reporter: Qin Zhao (IBM)
Products: keystonemiddleware, python-keystoneclient
Versions: versions up to 1.1.1 (keystonemiddleware), versions up to 0.10.1
(python-keystoneclient)

Description:
Qin Zhao from IBM reported a vulnerability in keystonemiddleware (formerly
shipped as python-keystoneclient). When the 'insecure' SSL option is set in 
a paste configuration file it is effectively ignored, regardless of its 
value.  As a result certificate verification will be disabled, leaving TLS
connections open to MITM attacks. All versions of keystonemiddleware with
TLS settings configured via a paste.ini file are affected by this flaw.
""

Upstream fix:

https://review.openstack.org/#/c/112232/

References:
http://launchpad.net/bugs/1353315
http://www.openwall.com/lists/oss-security/2014/09/17/3
Comment 2 Murray McAllister 2014-09-18 04:16:40 UTC 
Created python-keystoneclient tracking bugs for this issue:

Affects: fedora-all [bug 1143809]
Comment 4 Murray McAllister 2014-09-25 04:11:20 UTC 
MITRE assigned CVE-2014-7144 to this issue:

http://seclists.org/oss-sec/2014/q3/628
Comment 5 Murray McAllister 2014-09-26 02:55:17 UTC 
OpenStack's advisory:

http://seclists.org/oss-sec/2014/q3/731
Comment 13 errata-xmlrpc 2014-11-03 08:40:40 UTC 
This issue has been addressed in the following products:

  OpenStack 5 for RHEL 7

Via RHSA-2014:1784 https://rhn.redhat.com/errata/RHSA-2014-1784.html
Comment 14 errata-xmlrpc 2014-11-03 08:40:54 UTC 
This issue has been addressed in the following products:

  OpenStack 5 for RHEL 6

Via RHSA-2014:1783 https://rhn.redhat.com/errata/RHSA-2014-1783.html
Comment 16 errata-xmlrpc 2015-01-08 18:05:21 UTC 
This issue has been addressed in the following products:

  OpenStack 4 for RHEL 6

Via RHSA-2015:0020 https://rhn.redhat.com/errata/RHSA-2015-0020.html
Note You need to log in before you can comment on or make changes to this bug.