CVE-2014-7144 - TLS cert verification option not honoured in paste configs
Issue
Qin Zhao from IBM reported a vulnerability in keystonemiddleware
(formerly shipped as python-keystoneclient). When the 'insecure' option
is set in a paste configuration file it is effectively ignored,
regardless of its value. As a result certificate verification will be
disabled, leaving TLS connections open to MITM attacks. All versions of
keystonemiddleware with TLS settings configured via a paste.ini file are
affected by this flaw.
Environment
- Red Hat OpenStack 5.0
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.