OSSA-2014-030: TLS cert verification option not honoured in paste configs¶

Date:: September 25, 2014
CVE:: CVE-2014-7144

Affects¶

Keystonemiddleware: versions up to 1.1.1
Python-keystoneclient: versions up to 0.10.1

Description¶

Qin Zhao from IBM reported a vulnerability in keystonemiddleware (formerly shipped as python-keystoneclient). When the “insecure” option is set in a paste configuration file it is effectively ignored, regardless of its value. As a result certificate verification will be disabled, leaving TLS connections open to MITM attacks. All versions of keystonemiddleware with TLS settings configured via a paste.ini file are affected by this flaw.

Patches¶

https://review.openstack.org/113191 (Keystonemiddleware-1.2.0)
https://review.openstack.org/112232 (Python-keystone-0.11.0)

Credits¶

Qin Zhao from IBM (CVE-2014-7144)

References¶

https://launchpad.net/bugs/1353315
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7144

OSSA-2014-030: TLS cert verification option not honoured in paste configs