CVE-2013-2255
Published: 1 November 2019
HTTPSConnections in OpenStack Keystone 2013, OpenStack Compute 2013.1, and possibly other OpenStack components, fail to validate server-side SSL certificates.
Notes
| Author | Note |
|---|---|
| jdstrand | swift not-affected per upstream per upstream, all occurences are "for serverside node-to-node communication that could be assumed to happen on private networks". 'use_ssl' does convey protection, but there is no way to specify a ca_file. Adjusting priority to low since client to server communications are not affected (just server to server and middleware to server) and upstream and Ubuntu documentation all state the OpenStack components should be on a trusted network segment uses httplib.HTTPSConnection objects which are not fixed in Ubuntu. Could use pycurl, python3, or httplib2. upstream will fix as a secure feature in a future version because this will break upgrades. Nothing to be done at this time. Leaving 13.10 open, but deferred, since the 13.10 will have a newer version. Ubuntu 13.10 released before fix from upstream, ignoring keystone Ubuntu 13.10 released with python-keystoneclient 0.3, ignoring Ubuntu 13.10 released before fix from upstream, ignoring cinder Ubuntu 13.10 released before fix from upstream, ignoring nova |
Priority
CVSS 3 base score: 5.9
Status
| Package | Release | Status |
|---|---|---|
|
swift Launchpad, Ubuntu, Debian |
quantal |
Not vulnerable
|
| raring |
Not vulnerable
|
|
| upstream |
Not vulnerable
|
|
| lucid |
Does not exist
|
|
| precise |
Not vulnerable
|
|
|
quantum Launchpad, Ubuntu, Debian |
upstream |
Needs triage
|
| lucid |
Does not exist
|
|
| precise |
Ignored
|
|
| quantal |
Ignored
|
|
| raring |
Ignored
|
|
|
cinder Launchpad, Ubuntu, Debian |
upstream |
Needs triage
|
| lucid |
Does not exist
|
|
| precise |
Does not exist
|
|
| quantal |
Ignored
|
|
| raring |
Ignored
|
|
|
keystone Launchpad, Ubuntu, Debian |
upstream |
Needs triage
|
| lucid |
Does not exist
|
|
| precise |
Ignored
|
|
| quantal |
Ignored
|
|
| raring |
Ignored
|
|
|
python-keystoneclient Launchpad, Ubuntu, Debian |
upstream |
Released
(0.4.1)
|
| lucid |
Does not exist
|
|
| precise |
Ignored
|
|
| quantal |
Ignored
|
|
| raring |
Ignored
|
|
|
nova Launchpad, Ubuntu, Debian |
upstream |
Needs triage
|
| lucid |
Does not exist
|
|
| precise |
Ignored
|
|
| quantal |
Ignored
|
|
| raring |
Ignored
|