CVE-2017-2623
It was discovered that rpm-ostree and rpm-ostree-client fail to properly check GPG signatures on packages when doing layering. Packages with unsigned or badly signed content could fail to be rejected as expected. This issue is partially mitigated on RHEL Atomic Host, where certificate pinning is used by default.
Find out more about CVE-2017-2623 from the MITRE CVE dictionary dictionary and NIST NVD.
CVSS v3 metrics
| CVSS3 Base Score | 5.3 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N |
| Attack Vector | Network |
| Attack Complexity | High |
| Privileges Required | None |
| User Interaction | Required |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity Impact | High |
| Availability Impact | None |
Red Hat Security Errata
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat Enterprise Linux Atomic Host 7 (rpm-ostree) | RHSA-2017:0444 | 2017-03-02 |
Acknowledgements
This issue was discovered by Colin Walters (Red Hat).Mitigation
This issue is partially mitigated on RHEL Atomic Host, where default certificate pinning ensures provenance.