Python Paramiko through versions 2.4.1, 2.3.2, 2.2.3, 2.1.5, 2.0.8, 1.18.5 and 1.17.6 is vulnerable to an authentication bypass in paramiko/auth_handler.py. A remote attacker could exploit this vulnerability in paramiko SSH servers to execute arbitrary code. Upstream Issue: https://github.com/paramiko/paramiko/issues/1283 Upstream Patch: https://github.com/paramiko/paramiko/commit/56c96a65
Created python-paramiko tracking bugs for this issue: Affects: epel-all [bug 1637265] Affects: fedora-all [bug 1637264] Affects: openstack-rdo [bug 1637266]
OpenStack consumes the version of paramiko provided by RHEL. However, as per the statement, OpenStack does not use the SSH server functionality of paramiko.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:3347 https://access.redhat.com/errata/RHSA-2018:3347
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 6.4 Advanced Update Support Red Hat Enterprise Linux 6.5 Advanced Update Support Red Hat Enterprise Linux 6.6 Advanced Update Support Red Hat Enterprise Linux 6.6 Telco Extended Update Support Red Hat Enterprise Linux 6.7 Extended Update Support Via RHSA-2018:3406 https://access.redhat.com/errata/RHSA-2018:3406
This issue was addressed in Red Hat Virtualization in the following errata: https://access.redhat.com/errata/RHBA-2018:3497 (rhvm-appliance) https://access.redhat.com/errata/RHSA-2018:3470 (redhat-virtualization-host)
Ansible consumes the version of paramiko provided by RHEL. However, as per the statement, Ansible does not use the SSH server functionality of paramiko.
Statement: This flaw is a user authentication bypass in the SSH Server functionality of paramiko (normally used by subclassing `paramiko.ServerInterface`). Where paramiko is used only for its client-side functionality (e.g. `paramiko.SSHClient`), the vulnerability is not exposed and thus cannot be exploited. The following Red Hat products use paramiko only in client-side mode. Server side functionality is not used. * Red Hat Ansible Engine 2 * Red Hat Ceph Storage 2 * Red Hat CloudForms 4 * Red Hat Enterprise Linux 7 * Red Hat Enterprise Virtualization * Red Hat Gluster Storage 3 * Red Hat Openshift Container Platform * Red Hat Quick Cloud Installer * Red Hat Satellite 6 * Red Hat Storage Console 2 * Red Hat OpenStack Platform * Red Hat Update Infrastructure