CVE-2013-6491 - The python-qpid client (common/rpc/impl_qpid.py) in OpenStack Oslo before 2013.2 does not enforce SS

CVE-2013-6491

Summary

The python-qpid client (common/rpc/impl_qpid.py) in OpenStack Oslo before 2013.2 does not enforce SSL connections when qpid_protocol is set to ssl, which allows remote attackers to obtain sensitive information by sniffing the network.

References

Vulnerable Configurations

cpe:2.3:a:openstack:oslo:-:*:*:*:*:*:*:*
cpe:2.3:a:openstack:oslo:-:*:*:*:*:*:*:*
cpe:2.3:a:openstack:oslo:2013:*:*:*:*:*:*:*
cpe:2.3:a:openstack:oslo:2013:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openstack:3.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openstack:3.0:*:*:*:*:*:*:*

CVSS

Base:	4.3 (as of 21-06-2014 - 04:36)
Impact:
Exploitability:

CWE

CWE-310

CAPEC

Signature Spoofing by Key Recreation
An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	NONE	NONE

cvss-vector via4

AV:N/AC:M/Au:N/C:P/I:N/A:N

redhat via4

advisories

rhsa

id	RHSA-2014:0112

rpms

openstack-cinder-0:2013.1.5-2.el6ost
openstack-cinder-doc-0:2013.1.5-2.el6ost
openstack-glance-0:2013.1.5-1.el6ost
openstack-glance-doc-0:2013.1.5-1.el6ost
openstack-quantum-0:2013.1.5-1.el6ost
openstack-quantum-bigswitch-0:2013.1.5-1.el6ost
openstack-quantum-brocade-0:2013.1.5-1.el6ost
openstack-quantum-cisco-0:2013.1.5-1.el6ost
openstack-quantum-hyperv-0:2013.1.5-1.el6ost
openstack-quantum-linuxbridge-0:2013.1.5-1.el6ost
openstack-quantum-metaplugin-0:2013.1.5-1.el6ost
openstack-quantum-midonet-0:2013.1.5-1.el6ost
openstack-quantum-nec-0:2013.1.5-1.el6ost
openstack-quantum-nicira-0:2013.1.5-1.el6ost
openstack-quantum-openvswitch-0:2013.1.5-1.el6ost
openstack-quantum-plumgrid-0:2013.1.5-1.el6ost
openstack-quantum-ryu-0:2013.1.5-1.el6ost
python-cinder-0:2013.1.5-2.el6ost
python-glance-0:2013.1.5-1.el6ost
python-quantum-0:2013.1.5-1.el6ost
qemu-img-rhev-2:0.12.1.2-2.415.el6_5.6
qemu-kvm-rhev-2:0.12.1.2-2.415.el6_5.6
qemu-kvm-rhev-debuginfo-2:0.12.1.2-2.415.el6_5.6
qemu-kvm-rhev-tools-2:0.12.1.2-2.415.el6_5.6
openstack-nova-0:2013.1.4-4.el6ost
openstack-nova-api-0:2013.1.4-4.el6ost
openstack-nova-cells-0:2013.1.4-4.el6ost
openstack-nova-cert-0:2013.1.4-4.el6ost
openstack-nova-common-0:2013.1.4-4.el6ost
openstack-nova-compute-0:2013.1.4-4.el6ost
openstack-nova-conductor-0:2013.1.4-4.el6ost
openstack-nova-console-0:2013.1.4-4.el6ost
openstack-nova-doc-0:2013.1.4-4.el6ost
openstack-nova-network-0:2013.1.4-4.el6ost
openstack-nova-objectstore-0:2013.1.4-4.el6ost
openstack-nova-scheduler-0:2013.1.4-4.el6ost
python-nova-0:2013.1.4-4.el6ost

refmap via4

confirm	https://bugs.launchpad.net/oslo/+bug/1158807 https://bugzilla.redhat.com/show_bug.cgi?id=996766
ubuntu	USN-2247-1

Last major update

21-06-2014 - 04:36

Published

02-02-2014 - 00:55

Last modified

21-06-2014 - 04:36