A flaw was found in python-cryptography versions between >=1.9.0 and <2.3. The finalize_with_tag API did not enforce a minimum tag length. If a user did not validate the input length prior to passing it to finalize_with_tag an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries can cause key leakage.
The following OpenStack releases ship the vulnerable library. However, OpenStack does not appear to use the GCM mode.
Red Hat OpenStack 13
Red Hat OpenStack 14
Created python-cryptography tracking bugs for this issue:
Affects: openstack-rdo [bug 1605041]
(In reply to Pedro Yóssis Silva Barbosa from comment #8)
> RHEL7.5 ships version 1.7.2-2. Thus it is affected.
How come, description says >=1.9.0 and <2.3 ?
Correction: RHEL7.5 ships version 1.7.2-2 and the finalize_with_tag method wasn't implemented in this version. Thus it is NOT affected. I am closing the rhel-7 tracker.
This issue has been addressed in the following products:
Red Hat OpenStack Platform 13.0 (Queens)
Via RHSA-2018:3600 https://access.redhat.com/errata/RHSA-2018:3600