CVE-2013-2255
Published: 1 November 2019
HTTPSConnections in OpenStack Keystone 2013, OpenStack Compute 2013.1, and possibly other OpenStack components, fail to validate server-side SSL certificates.
Notes
Author | Note |
---|---|
jdstrand | swift not-affected per upstream per upstream, all occurences are "for serverside node-to-node communication that could be assumed to happen on private networks". 'use_ssl' does convey protection, but there is no way to specify a ca_file. Adjusting priority to low since client to server communications are not affected (just server to server and middleware to server) and upstream and Ubuntu documentation all state the OpenStack components should be on a trusted network segment uses httplib.HTTPSConnection objects which are not fixed in Ubuntu. Could use pycurl, python3, or httplib2. upstream will fix as a secure feature in a future version because this will break upgrades. Nothing to be done at this time. Leaving 13.10 open, but deferred, since the 13.10 will have a newer version. Ubuntu 13.10 released before fix from upstream, ignoring keystone Ubuntu 13.10 released with python-keystoneclient 0.3, ignoring Ubuntu 13.10 released before fix from upstream, ignoring cinder Ubuntu 13.10 released before fix from upstream, ignoring nova |
Priority
Status
Package | Release | Status |
---|---|---|
cinder Launchpad, Ubuntu, Debian |
lucid |
Does not exist
|
precise |
Does not exist
|
|
quantal |
Ignored
|
|
raring |
Ignored
|
|
upstream |
Needs triage
|
|
keystone Launchpad, Ubuntu, Debian |
lucid |
Does not exist
|
precise |
Ignored
|
|
quantal |
Ignored
|
|
raring |
Ignored
|
|
upstream |
Needs triage
|
|
nova Launchpad, Ubuntu, Debian |
lucid |
Does not exist
|
precise |
Ignored
|
|
quantal |
Ignored
|
|
raring |
Ignored
|
|
upstream |
Needs triage
|
|
python-keystoneclient Launchpad, Ubuntu, Debian |
lucid |
Does not exist
|
precise |
Ignored
|
|
quantal |
Ignored
|
|
raring |
Ignored
|
|
upstream |
Released
(0.4.1)
|
|
quantum Launchpad, Ubuntu, Debian |
lucid |
Does not exist
|
precise |
Ignored
|
|
quantal |
Ignored
|
|
raring |
Ignored
|
|
upstream |
Needs triage
|
|
swift Launchpad, Ubuntu, Debian |
lucid |
Does not exist
|
precise |
Not vulnerable
|
|
quantal |
Not vulnerable
|
|
raring |
Not vulnerable
|
|
upstream |
Not vulnerable
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 5.9 |
Attack vector | Network |
Attack complexity | High |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | High |
Availability impact | None |
Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N |