CVE-2014-8167
It was found that the VDSM SSL certificate validation implementation did not check whether the server host name matched the domain name in a subject's Common Name (CN) field in a X.509 certificate. A man-in-the-middle attacker could use this flaw to spoof a VDSM server using a specially crafted X.509 certificate.
Find out more about CVE-2014-8167 from the MITRE CVE dictionary dictionary and NIST NVD.
Statement
This issue affects the versions of vdsm as shipped with Red Hat Enterprise Vitalization 3.x. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
CVSS v2 metrics
NOTE: The following CVSS v2 metrics and score provided are preliminary and subject to review.
| Base Score | 4.3 |
|---|---|
| Base Metrics | AV:N/AC:M/Au:N/C:N/I:P/A:N |
| Access Vector | Network |
| Access Complexity | Medium |
| Authentication | None |
| Confidentiality Impact | None |
| Integrity Impact | Partial |
| Availability Impact | None |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
Affected Packages State
| Platform | Package | State |
|---|---|---|
| RHEV Manager 3 | vdsm | Will not fix |