CVE-2013-2255

Publication date 1 November 2019

Last updated 24 July 2024


Ubuntu priority

Cvss 3 Severity Score

5.9 · Medium

Score breakdown

HTTPSConnections in OpenStack Keystone 2013, OpenStack Compute 2013.1, and possibly other OpenStack components, fail to validate server-side SSL certificates.

Read the notes from the security team

Status

Package Ubuntu Release Status
cinder 13.04 raring Ignored
12.10 quantal Ignored
12.04 LTS precise Not in release
10.04 LTS lucid Not in release
keystone 13.04 raring Ignored
12.10 quantal Ignored
12.04 LTS precise Ignored
10.04 LTS lucid Not in release
nova 13.04 raring Ignored
12.10 quantal Ignored
12.04 LTS precise Ignored
10.04 LTS lucid Not in release
python-keystoneclient 13.04 raring Ignored
12.10 quantal Ignored
12.04 LTS precise Ignored
10.04 LTS lucid Not in release
quantum 13.04 raring Ignored
12.10 quantal Ignored
12.04 LTS precise Ignored
10.04 LTS lucid Not in release
swift 13.04 raring
Not affected
12.10 quantal
Not affected
12.04 LTS precise
Not affected
10.04 LTS lucid Not in release

Notes


jdstrand

swift not-affected per upstream per upstream, all occurences are "for serverside node-to-node communication that could be assumed to happen on private networks". 'use_ssl' does convey protection, but there is no way to specify a ca_file. Adjusting priority to low since client to server communications are not affected (just server to server and middleware to server) and upstream and Ubuntu documentation all state the OpenStack components should be on a trusted network segment uses httplib.HTTPSConnection objects which are not fixed in Ubuntu. Could use pycurl, python3, or httplib2. upstream will fix as a secure feature in a future version because this will break upgrades. Nothing to be done at this time. Leaving 13.10 open, but deferred, since the 13.10 will have a newer version. Ubuntu 13.10 released before fix from upstream, ignoring keystone Ubuntu 13.10 released with python-keystoneclient 0.3, ignoring Ubuntu 13.10 released before fix from upstream, ignoring cinder Ubuntu 13.10 released before fix from upstream, ignoring nova

Severity score breakdown

Parameter Value
Base score 5.9 · Medium
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Scope Unchanged
Confidentiality None
Integrity impact High
Availability impact None
Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N