Multiple security flaws were found in the vdsm SSL certificate validation code. Details:
VDSM can connect to other VDSM services for remote management of virtual hosts stored on a remote node. During the connection the remote node presents a certificate. The hostname of the remote host is presented in the certificate but not validated by the client connection to ensure that the host matches the correct name. The SSL client should compare the hostname presented in the certificate to the host name returned in the server certificates "Common Name" field of the "subjectDN" entry. If this is not the case the connection should fail
*** Bug 1165022 has been marked as a duplicate of this bug. ***
As per discussion with Alon Bar-Lev this may be addressed in RHEV 4.
This issue affects the versions of vdsm as shipped with Red Hat Enterprise Vitalization 3.x. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.