Bugzilla – Bug 897103
VUL-0: CVE-2014-7144: python-keystoneclient: TLS cert verification option not honoured in paste configs
Last modified: 2018-02-16 15:35:31 UTC
via oss-sec and openstack advisory A vulnerability was discovered in OpenStack (see below). In order to ensure full traceability, we need a CVE number assigned that we can attach to further notifications. This issue is already public, although an advisory was not sent yet. Title: TLS cert verification option not honoured in paste configs Reporter: Qin Zhao (IBM) Products: keystonemiddleware, python-keystoneclient Versions: versions up to 1.1.1 (keystonemiddleware), versions up to 0.10.1 (python-keystoneclient) Description: Qin Zhao from IBM reported a vulnerability in keystonemiddleware (formerly shipped as python-keystoneclient). When the 'insecure' SSL option is set in a paste configuration file it is effectively ignored, regardless of its value. As a result certificate verification will be disabled, leaving TLS connections open to MITM attacks. All versions of keystonemiddleware with TLS settings configured via a paste.ini file are affected by this flaw. References: http://launchpad.net/bugs/1353315
bugbot adjusting priority
CVE-2014-7144
Affected packages: SLE-11-SP3-CL4: python-keystoneclient SLE-11-SP3-PRODUCTS: python-keystoneclient SLE-11-SP3-UPTU: python-keystoneclient SLE-12: python-keystoneclient
This breaks OpenStack completely: 2014-10-07 21:52:14.683 11862 TRACE neutron File "/usr/lib64/python2.6/site-packages/keystoneclient/middleware/auth_token.py", line 1314, in auth_filter 2014-10-07 21:52:14.683 11862 TRACE neutron return AuthProtocol(app, conf) 2014-10-07 21:52:14.683 11862 TRACE neutron File "/usr/lib64/python2.6/site-packages/keystoneclient/middleware/auth_token.py", line 401, in __init__ 2014-10-07 21:52:14.683 11862 TRACE neutron self.conf = _conf_values_type_convert(conf) 2014-10-07 21:52:14.683 11862 TRACE neutron File "/usr/lib64/python2.6/site-packages/keystoneclient/middleware/auth_token.py", line 347, in _conf_values_type_convert 2014-10-07 21:52:14.683 11862 TRACE neutron opt_types = dict((o.dest, o.type) for o in opts) 2014-10-07 21:52:14.683 11862 TRACE neutron File "/usr/lib64/python2.6/site-packages/keystoneclient/middleware/auth_token.py", line 347, in <genexpr> 2014-10-07 21:52:14.683 11862 TRACE neutron opt_types = dict((o.dest, o.type) for o in opts) 2014-10-07 21:52:14.683 11862 TRACE neutron AttributeError: 'StrOpt' object has no attribute 'type'
with Ionut, we found that the breakage comes from old oslo.config-1.2 which does not provide the type attribute. oslo.config-1.4. from Juno worked but I wonder if it is worth updating it
An update workflow for this issue was started. This issue was rated as low. Please submit fixed packages until 2015-02-16. https://swamp.suse.de/webswamp/wf/60274
SUSE-SU-2015:0221-1: An update that solves one vulnerability and has one errata is now available. Category: security (low) Bug References: 897103,913692 CVE References: CVE-2014-7144 Sources used: SUSE Cloud 4 (src): python-keystoneclient-0.9.0-0.11.1
This needs to be fixed in Cloud5 as well. Please resubmit python-keystoneclient based on sr#57312. https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7144 "OpenStack keystonemiddleware (formerly python-keystoneclient) 0.x before 0.11.0 and 1.x before 1.2.0 disables certification verification when the "insecure" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate."
@Alexander: This is already fixed in python-keystoneclient-1.0.0 which is the version in Cloud 5.
then we can close I think
SUSE-SU-2015:1141-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 897103,928205 CVE References: CVE-2014-7144,CVE-2015-1852 Sources used: SUSE Cloud 4 (src): python-keystoneclient-0.9.0-0.13.1