CVE-2012-3533
First published: Fri Aug 24 2012(Updated: )
It was reported that oVirt 3.1 did not properly validate SSL certificates of the server when the client would connect. This could permit man-in-the-middle attacks. In oVirt sdk, the python httplib.HTTPSConnection function is used to let the programmer specify the client's pair of certificates, but does not force the underlying SSL library to check the server certificate against the client keys. Because of this, the oVirt CLI tool does not check certificates upon connection. The new python SDK (ovirt-engine-sdk) and new python CLI (ovirt-engine-cli) were introduced in oVirt 3.1 [1] ; earlier versions are not affected by this flaw. This has been corrected in upstream git for the sdk [2] and the cli [3]. [1] <a href="http://wiki.ovirt.org/wiki/Release_Notes#Interfaces">http://wiki.ovirt.org/wiki/Release_Notes#Interfaces</a> [2] <a href="http://gerrit.ovirt.org/#/c/7209/">http://gerrit.ovirt.org/#/c/7209/</a> [3] <a href="http://gerrit.ovirt.org/#/c/7249/">http://gerrit.ovirt.org/#/c/7249/</a>
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/ovirt-engine-sdk-python-3.4.0.7 | <1 | 1 |
| Ovirt | =3.1 | |
| Ovirt Ovirt-engine-cli | <=3.1.0.5 | |
| Ovirt-engine-sdk 3.1.0.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://wiki.ovirt.org/wiki/Release_Notes#Interfaces
- http://gerrit.ovirt.org/#/c/7209/
- http://gerrit.ovirt.org/#/c/7249/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=851674
- http://jhernand.fedorapeople.org/rpms/ovirt-engine-sdk-python/3.4.0.7-1
- https://admin.fedoraproject.org/updates/ovirt-engine-sdk-python-3.4.0.7-1.fc19
- https://admin.fedoraproject.org/updates/ovirt-engine-sdk-python-3.4.0.7-1.fc20
- https://admin.fedoraproject.org/updates/ovirt-engine-sdk-python-3.4.0.7-1.el6
- https://bugzilla.redhat.com/show_bug.cgi?id=851672
- http://secunia.com/advisories/50409
- http://www.openwall.com/lists/oss-security/2012/08/24/6
- http://www.openwall.com/lists/oss-security/2012/08/26/1
- http://www.securityfocus.com/bid/55208
- https://exchange.xforce.ibmcloud.com/vulnerabilities/77984
Frequently Asked Questions
What is the severity of CVE-2012-3533?
CVE-2012-3533 is classified as a moderate severity vulnerability due to the potential for man-in-the-middle attacks.
How do I fix CVE-2012-3533?
To mitigate CVE-2012-3533, upgrade to a version of oVirt that properly validates SSL certificates.
What versions of oVirt are affected by CVE-2012-3533?
CVE-2012-3533 affects oVirt version 3.1, as well as the related oVirt engine SDK versions up to 3.4.0.7.
What are the potential impacts of CVE-2012-3533?
The primary impact of CVE-2012-3533 is the risk of unauthorized data interception and manipulation during client-server communications.
Is CVE-2012-3533 fixed in later versions of oVirt?
Yes, later versions of oVirt have implemented proper SSL certificate validation to address the issues outlined in CVE-2012-3533.
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/author
- agent/weakness
- agent/severity
- agent/last-modified-date
- agent/event
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2012-3533
- agent/software-canonical-lookup
- agent/trending
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/ovirt
- canonical/ovirt
- version/ovirt/3.1
- canonical/ovirt ovirt-engine-cli
- version/ovirt ovirt-engine-cli/3.1.0.5
- vendor/ovirt-engine-sdk
- canonical/ovirt-engine-sdk 3.1.0.5