CVE-2013-2255
Publication date 1 November 2019
Last updated 24 July 2024
Ubuntu priority
HTTPSConnections in OpenStack Keystone 2013, OpenStack Compute 2013.1, and possibly other OpenStack components, fail to validate server-side SSL certificates.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| cinder | ||
| keystone | ||
| nova | ||
| python-keystoneclient | ||
| quantum | ||
| swift | ||
Notes
jdstrand
swift not-affected per upstream per upstream, all occurences are "for serverside node-to-node communication that could be assumed to happen on private networks". 'use_ssl' does convey protection, but there is no way to specify a ca_file. Adjusting priority to low since client to server communications are not affected (just server to server and middleware to server) and upstream and Ubuntu documentation all state the OpenStack components should be on a trusted network segment uses httplib.HTTPSConnection objects which are not fixed in Ubuntu. Could use pycurl, python3, or httplib2. upstream will fix as a secure feature in a future version because this will break upgrades. Nothing to be done at this time. Leaving 13.10 open, but deferred, since the 13.10 will have a newer version. Ubuntu 13.10 released before fix from upstream, ignoring keystone Ubuntu 13.10 released with python-keystoneclient 0.3, ignoring Ubuntu 13.10 released before fix from upstream, ignoring cinder Ubuntu 13.10 released before fix from upstream, ignoring nova
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
5.9 · Medium
|
| Attack vector | Network |
| Attack complexity | High |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | High |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N |