Vulnerability CVE-2014-7144

Vulnerability Name:

CVE-2014-7144 (CCN-96027)

Assigned:

2014-09-17

Published:

2014-09-17

Updated:

2016-11-28

Summary:

OpenStack keystonemiddleware (formerly python-keystoneclient) 0.x before 0.11.0 and 1.x before 1.2.0 disables certification verification when the "insecure" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.2 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.2 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-310

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2014-7144

Source: CCN
Type: OpenStack Web site
Keystone

Source: REDHAT
Type: UNKNOWN
RHSA-2014:1783

Source: REDHAT
Type: UNKNOWN
RHSA-2014:1784

Source: CCN
Type: RHSA-2015-0020
Moderate: python-keystoneclient security update

Source: REDHAT
Type: UNKNOWN
RHSA-2015:0020

Source: CCN
Type: oss-security Mailing List, Wed, 17 Sep 2014 21:35:31 +1000
CVE request for vulnerability in OpenStack keystonemiddleware

Source: CCN
Type: oss-security Mailing List, Mon, 22 Sep 2014 02:15:48 -0400 (EDT)
Re: CVE request for vulnerability in OpenStack keystonemiddleware

Source: SECUNIA
Type: UNKNOWN
62709

Source: CCN
Type: IBM Security Bulletin T1022026
IBM Cloud Manager with OpenStack Vulnerabilities (CVE-2014-7230 CVE-2014-7231 CVE-2014-7144 CVE-2014-3641 CVE-2014-3608)

Source: CCN
Type: IBM Security Bulletin 1698837
Multiple Vulnerabilities in IBM SmartCloud Orchestrator, IBM SmartCloud Orchestrator Enterprise and bundling products (CVE-2015-2808, CVE-2015-0138, CVE-2014-8730, CVE-2014-3566, and others).

Source: CCN
Type: IBM Security Bulletin 1961009
Multiple vulnerabilities have been identified in IBM SmartCloud Provisioning and bundling products

Source: MLIST
Type: Patch
[oss-security] 20140926 [OSSA 2014-030] TLS cert verification option not honoured in paste configs (CVE-2014-7144)

Source: BID
Type: UNKNOWN
69864

Source: CCN
Type: BID-69864
OpenStack Keystonemiddleware SSL Certificate Validation Security Bypass Vulnerability

Source: UBUNTU
Type: UNKNOWN
USN-2705-1

Source: CCN
Type: Launchpad Bug #1353315
Incorrect condition expression for ssl_insecure

Source: CONFIRM
Type: Patch
https://bugs.launchpad.net/python-keystoneclient/+bug/1353315

Source: XF
Type: UNKNOWN
keystonemiddleware-ssl-mitm(96027)

Vulnerable Configuration:

Configuration 1:

cpe:/a:openstack:keystonemiddleware:1.0.0:*:*:*:*:*:*:*

OR cpe:/a:openstack:keystonemiddleware:1.1.0:*:*:*:*:*:*:*

OR cpe:/a:openstack:keystonemiddleware:1.1.1:*:*:*:*:*:*:*

OR cpe:/a:openstack:python-keystoneclient:*:*:*:*:*:*:*:* (Version <= 0.10.1)

Configuration CCN 1:

cpe:/a:openstack:keystonemiddleware:1.1.1:*:*:*:*:*:*:*

AND

cpe:/a:ibm:smartcloud_provisioning:2.1.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:smartcloud_provisioning:2.1.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_orchestrator:2.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_orchestrator:2.3.0.1:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20147144	V	CVE-2014-7144	2022-09-02
oval:org.opensuse.security:def:1456	P	Security update for the Linux Kernel (Live Patch 12 for SLE 15 SP3) (Important)	2022-03-29
oval:org.opensuse.security:def:949	P	Security update for systemd (Moderate)	2022-02-21
oval:org.opensuse.security:def:64678	P	Security update for apache2 (Important)	2022-01-17
oval:org.opensuse.security:def:113204	P	python-keystoneclient-3.5.0-1.1 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:945	P	Security update for net-snmp (Important)	2022-01-11
oval:org.opensuse.security:def:64591	P	Security update for the Linux Kernel (Important)	2021-10-15
oval:org.opensuse.security:def:106624	P	python-keystoneclient-3.5.0-1.1 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:55248	P	Security update for MozillaFirefox (Important)	2021-09-22
oval:org.opensuse.security:def:71265	P	libjansson-devel-2.9-1.24 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:71378	P	python3-paramiko-2.4.2-4.23 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:94186	P	(Important)	2021-09-03
oval:org.opensuse.security:def:47931	P	yast2-core-3.3.1-1.7 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47602	P	elfutils-0.158-6.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47799	P	libudisks2-0-2.1.3-1.13 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47481	P	python-imaging-1.1.7-21.15 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47606	P	expat-2.1.0-21.3.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47467	P	perl-LWP-Protocol-https-6.04-5.4 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48167	P	libpango-1_0-0-1.40.1-9.5 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47485	P	python-requests-2.8.1-6.16.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47466	P	perl-HTML-Parser-3.71-1.145 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48019	P	git-core-2.12.3-27.17.2 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47471	P	pigz-2.3-5.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48171	P	libplist3-1.12-20.3.2 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47927	P	xorg-x11-libs-7.6-45.14 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47470	P	perl-YAML-LibYAML-0.38-10.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48023	P	gnome-settings-daemon-3.20.1-50.16.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47795	P	libtcnative-1-0-1.2.17-1.12 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:101010	P	python2-keystoneclient-3.15.0-2.33 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:107676	P	python2-keystoneclient-3.15.0-2.33 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:94297	P	python2-keystoneclient-3.15.0-2.33 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:2364	P	python2-keystoneclient-3.15.0-2.33 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:63453	P	python2-keystoneclient-3.15.0-2.33 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:100899	P	libbsd-devel-0.8.7-3.3.17 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:55931	P	Security update for libsndfile (Critical)	2021-08-05
oval:org.opensuse.security:def:68025	P	Security update for the Linux Kernel (Live Patch 20 for SLE 15 SP1) (Important)	2021-07-27
oval:org.opensuse.security:def:66855	P	Security update for jdom2 (Important)	2021-07-12
oval:org.opensuse.security:def:1469	P	Security update for djvulibre (Important)	2021-06-10
oval:org.opensuse.security:def:48596	P	perl-HTML-Parser-3.71-1.145 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48465	P	libXext6-1.3.2-3.60 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48531	P	libotr5-4.0.0-9.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48381	P	bzip2-1.0.6-29.2 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48469	P	libXinerama1-1.1.3-3.54 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48694	P	libsilc-1_1-2-1.1.10-24.128 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48385	P	colord-gtk-lang-0.1.26-6.3 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48623	P	squashfs-4.3-6.2 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48698	P	libvirt-client-32bit-1.2.5-13.3 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48592	P	patch-2.7.5-7.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48627	P	stunnel-5.00-3.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48527	P	libneon27-0.30.0-3.64 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:1460	P	Security update for avahi (Moderate)	2021-05-04
oval:org.opensuse.security:def:66763	P	Security update for ceph (Important)	2021-05-04
oval:org.opensuse.security:def:70211	P	Security update for bind (Important)	2021-05-04
oval:org.opensuse.security:def:63109	P	python3-keystoneclient-3.15.0-2.33 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:107565	P	python3-keystoneclient-3.15.0-2.33 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:2029	P	python3-keystoneclient-3.15.0-2.33 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:117123	P	python3-keystoneclient-3.15.0-2.33 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:63118	P	python3-keystoneclient-3.15.0-2.33 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:2016	P	python3-keystoneclient-3.15.0-2.33 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:63105	P	python3-keystoneclient-3.15.0-2.33 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:103678	P	python3-keystoneclient-3.15.0-2.33 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:90023	P	python3-keystoneclient-3.15.0-2.33 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:2020	P	python3-keystoneclient-3.15.0-2.33 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:49847	P	log4j12-javadoc on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:56609	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:55085	P	cups-pk-helper on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:55765	P	Security update for tiff (Moderate)	2020-12-01
oval:org.opensuse.security:def:67925	P	libopus-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:56528	P	Security update for mariadb (Important)	2020-12-01
oval:org.opensuse.security:def:49897	P	python3-keystoneclient on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:55659	P	Security update for bind (Important)	2020-12-01
oval:org.opensuse.security:def:49856	P	perl-DNS-LDNS on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:56490	P	Security update for gimp (Moderate)	2020-12-01
oval:org.opensuse.security:def:70106	P	libopenjpeg1 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:55486	P	Security Update for Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:56416	P	Security update for ncurses (Moderate)	2020-12-01
oval:org.opensuse.security:def:49901	P	python3-keystoneclient on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:73428	P	libjasper-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:56324	P	Security update for libqt5-qtbase, libqt5-qtdeclarative (Moderate)	2020-12-01
oval:org.opensuse.security:def:49843	P	libgit2-28 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:55108	P	fontconfig on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:56216	P	Security update for kernel-firmware (Important)	2020-12-01
oval:org.opensuse.security:def:49910	P	python3-keystoneclient on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:55086	P	curl on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:73546	P	python3-keystoneclient on GA media (Moderate)	2020-12-01
oval:com.ubuntu.precise:def:20147144000	V	CVE-2014-7144 on Ubuntu 12.04 LTS (precise) - medium.	2014-10-02
oval:com.ubuntu.trusty:def:20147144000	V	CVE-2014-7144 on Ubuntu 14.04 LTS (trusty) - medium.	2014-10-02

BACK