PT-2014-7804 · Openstack+1 · Openstack Keystonemiddleware+1
Qin Zhao
·
Published
2014-10-02
·
Updated
2022-05-17
·
CVE-2014-7144
CVSS v4.0
8.2
High
| Vector | AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
OpenStack keystonemiddleware versions 0.x through 0.10.x
OpenStack keystonemiddleware versions 1.x through 1.1.x
Description
The issue allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate when the
insecure option is set in a paste.ini file, regardless of its value. This occurs because certification verification is disabled under these conditions.Recommendations
For OpenStack keystonemiddleware versions 0.x through 0.10.x, update to version 0.11.0 or later to resolve the issue.
For OpenStack keystonemiddleware versions 1.x through 1.1.x, update to version 1.2.0 or later to resolve the issue.
As a temporary workaround, consider removing or modifying the
insecure option in the paste.ini file to enable certification verification.Fix
Improper Certificate Validation
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Openstack Keystonemiddleware
Ubuntu