CVE-2013-2255

Published: 01 November 2019

HTTPSConnections in OpenStack Keystone 2013, OpenStack Compute 2013.1, and possibly other OpenStack components, fail to validate server-side SSL certificates.

Priority

Low

CVSS 3 base score: 5.9

Status

Package Release Status
cinder
Launchpad, Ubuntu, Debian
Upstream Needs triage

keystone
Launchpad, Ubuntu, Debian
Upstream Needs triage

nova
Launchpad, Ubuntu, Debian
Upstream Needs triage

python-keystoneclient
Launchpad, Ubuntu, Debian
Upstream
Released (0.4.1)
quantum
Launchpad, Ubuntu, Debian
Upstream Needs triage

swift
Launchpad, Ubuntu, Debian
Upstream Not vulnerable

Notes

AuthorNote
jdstrand
swift not-affected per upstream
per upstream, all occurences are "for serverside node-to-node
communication that could be assumed to happen on private networks". 'use_ssl'
does convey protection, but there is no way to specify a ca_file. Adjusting
priority to low since client to server communications are not affected (just
server to server and middleware to server) and upstream and Ubuntu
documentation all state the OpenStack components should be on a trusted
network segment
uses httplib.HTTPSConnection objects which are not fixed in Ubuntu.
Could use pycurl, python3, or httplib2.
upstream will fix as a secure feature in a future version because
this will break upgrades. Nothing to be done at this time. Leaving 13.10
open, but deferred, since the 13.10 will have a newer version.
Ubuntu 13.10 released before fix from upstream, ignoring keystone
Ubuntu 13.10 released with python-keystoneclient 0.3, ignoring
Ubuntu 13.10 released before fix from upstream, ignoring cinder
Ubuntu 13.10 released before fix from upstream, ignoring nova

References

Bugs