Bug 928205 (CVE-2015-1852) - VUL-1: CVE-2015-1852: python-keystonemiddleware,openstack-keystone,python-keystoneclient: The s3_token middleware in OpenStack keystonemiddleware before 1.6.0 andpython-keystoneclient befor...
Summary: VUL-1: CVE-2015-1852: python-keystonemiddleware,openstack-keystone,python-key...
Status: RESOLVED FIXED
Alias: CVE-2015-1852
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Normal
Target Milestone: ---
Deadline: 2015-05-26
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/115825/
Whiteboard: maint:released:sle11-sp3-cl4:61690 C...
Keywords:
Depends on:
Blocks:
 
Reported: 2015-04-22 15:28 UTC by Andreas Stieger
Modified: 2016-02-26 13:00 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2015-04-22 15:28:10 UTC 
via oss-sec http://seclists.org/oss-sec/2015/q2/139

The s3_token middleware in OpenStack keystonemiddleware before 1.6.0 and
python-keystoneclient before 1.4.0 disables certification verification when the
"insecure" option is set in a paste configuration (paste.ini) file regardless of
the value, which allows remote attackers to conduct man-in-the-middle attacks
via a crafted certificate, a different vulnerability than CVE-2014-7144.


==============================================================
OSSA-2015-007: S3Token TLS cert verification option not honored
===============================================================

:Date: April 14, 2015
:CVE: CVE-2015-1852


Affects
~~~~~~~
- python-keystoneclient: versions through 1.3.0
- keystonemiddleware: versions through 1.5.0


Description
~~~~~~~~~~~
Brant Knudson from IBM reported a vulnerability in keystonemiddleware
(formerly shipped as python-keystoneclient). When the 'insecure'
option is set in a S3Token paste configuration file its value is
effectively ignored and instead assumed to be true. As a result
certificate verification will be disabled, leaving TLS connections
open to MITM attacks. Note that it's unusual to explicitly add this
option and then set it to false, so the impact of this bug is thought
to be limited. All versions of s3_token middleware with TLS settings
configured are affected by this flaw.


Patches
~~~~~~~
- https://review.openstack.org/173378 (python-keystoneclient) (Icehouse)
- https://review.openstack.org/173376 (keystonemiddleware)    (Juno)
- https://review.openstack.org/173377 (python-keystoneclient) (Juno)
- https://review.openstack.org/173365 (keystonemiddleware)    (Kilo)
- https://review.openstack.org/173370 (python-keystoneclient) (Kilo)


Credits
~~~~~~~
- Brant Knudson from IBM (CVE-2015-1852)


References
~~~~~~~~~~
- https://launchpad.net/bugs/1411063
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1852


Notes
~~~~~
- This fix will be included in keystonemiddleware 1.6.0 release and
  python-keystoneclient 1.4.0 release.

--
Tristan Cacqueray
OpenStack Vulnerability Management Team





Cloud 4/5 seem affected.
VUL-1 planned update due to non-default nature of this configuration.




References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1852
http://seclists.org/oss-sec/2015/q2/139
http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1852.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1852
http://www.cvedetails.com/cve/CVE-2015-1852/
https://bugs.launchpad.net/keystonemiddleware/+bug/1411063
http://lists.openstack.org/pipermail/openstack-announce/2015-April/000350.html
Comment 1 Swamp Workflow Management 2015-04-22 22:01:10 UTC 
bugbot adjusting priority
Comment 4 Swamp Workflow Management 2015-05-12 10:16:53 UTC 
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-05-26.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/61689
Comment 5 Swamp Workflow Management 2015-06-25 13:05:23 UTC 
SUSE-SU-2015:1141-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 897103,928205
CVE References: CVE-2014-7144,CVE-2015-1852
Sources used:
SUSE Cloud 4 (src):    python-keystoneclient-0.9.0-0.13.1
Comment 6 Bernhard Wiedemann 2015-07-07 14:00:14 UTC 
This is an autogenerated message for OBS integration:
This bug (928205) was mentioned in
https://build.opensuse.org/request/show/315471 Factory / python-keystoneclient
Comment 7 Swamp Workflow Management 2015-07-08 16:08:28 UTC 
SUSE-SU-2015:1208-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 928205
CVE References: CVE-2015-1852
Sources used:
SUSE OpenStack Cloud Compute 5 (src):    python-keystoneclient-1.0.0-16.1
Comment 8 Swamp Workflow Management 2015-08-25 09:10:14 UTC 
SUSE-SU-2015:1434-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (low)
Bug References: 928205,932270,933758
CVE References: CVE-2015-1852
Sources used:
SUSE OpenStack Cloud 5 (src):    python-glanceclient-0.15.0-9.2, python-keystoneclient-1.0.0-11.1, python-keystonemiddleware-1.2.0-11.2, python-novaclient-2.20.0-9.2, python-openstackclient-0.4.1-9.2
Comment 9 Marcus Meissner 2015-09-22 13:10:43 UTC 
done
Comment 10 Swamp Workflow Management 2015-09-22 14:10:09 UTC 
SUSE-SU-2015:1602-1: An update that contains security fixes can now be installed.

Category: security (low)
Bug References: 914910,928205,933758
CVE References: 
Sources used:
SUSE OpenStack Cloud Compute 5 (src):    python-glanceclient-0.15.0-3.1, python-keystoneclient-1.0.0-19.1, python-keystonemiddleware-1.2.0-4.1, python-novaclient-2.20.0-6.1, python-swiftclient-2.3.1-3.1