OSSA-2014-030: TLS cert verification option not honoured in paste configs

Date:September 25, 2014
CVE:CVE-2014-7144

Affects

  • Keystonemiddleware: versions up to 1.1.1
  • Python-keystoneclient: versions up to 0.10.1

Description

Qin Zhao from IBM reported a vulnerability in keystonemiddleware (formerly shipped as python-keystoneclient). When the “insecure” option is set in a paste configuration file it is effectively ignored, regardless of its value. As a result certificate verification will be disabled, leaving TLS connections open to MITM attacks. All versions of keystonemiddleware with TLS settings configured via a paste.ini file are affected by this flaw.

Patches

Credits

  • Qin Zhao from IBM (CVE-2014-7144)