What is the severity of REDHAT-BUG-1151208?

The severity of REDHAT-BUG-1151208 is classified as high due to its insecure SSL configuration.

How do I fix REDHAT-BUG-1151208?

To fix REDHAT-BUG-1151208, update the code to use a secure SSL verification method instead of OpenSSL::SSL::VERIFY_NONE.

What are the implications of REDHAT-BUG-1151208?

The implications of REDHAT-BUG-1151208 include potential man-in-the-middle attacks due to lack of SSL verification.

Which software versions are affected by REDHAT-BUG-1151208?

REDHAT-BUG-1151208 affects various instances of Red Hat CloudForms where insecure SSL verification is implemented.

Is there a workaround for REDHAT-BUG-1151208?

A temporary workaround for REDHAT-BUG-1151208 is to manually implement SSL verification in the affected areas until a permanent fix is applied.

Vulnerability/
REDHAT-BUG-1151208

low

9/10/2014

9/12/2020

REDHAT-BUG-1151208

First published: Thu Oct 09 2014(Updated: )

CloudForms: http.verify_mode = OpenSSL::SSL::VERIFY_NONE From the email: Ok so two main things here, firstly I would prefer to fix this all at once, looking at the code there's a whole bunch of instances of "http.verify_mode = OpenSSL::SSL::VERIFY_NONE" (11 or so out of 17 total calls for http.verify), so even if we fix this default one, there would still be the 11 instances, so rather than do several fixes and end up with multiple CVE's I'd rather do this all at once. Now as how to fix it: 1) removing any uneeded code with respect to this SSL stuff (apparently a few may not be needed anymore?) 2) By default change it so that we check SSL correctly, however for backwards compatibility of existing installations, and for demos we want to allow the old behaviour, so some switch in a config file/web interface like "Allow self signed certs" with a warning/explanation. 3) To protect against attacks (e.g. with a self signed cert, we can't check it properly, so a man in the middle attack is pretty easy) we could harden it by caching the certificates the first time we see them, and then checking against that cached copy. So in theory the first time you access it (right after setup) is safe, we cache that, and in future any changes would cause an alarm, basically buying us most of what you would get by using a "Real" certificate. So I would say #2 is mandatory, #1 is always good (removing dead code) and #3 would be very nice to have, but really if people want security they can buy certificates for not much money.

Affected Software	Affected Version	How to fix
Red Hat CloudForms Management Engine

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of REDHAT-BUG-1151208?
The severity of REDHAT-BUG-1151208 is classified as high due to its insecure SSL configuration.
How do I fix REDHAT-BUG-1151208?
To fix REDHAT-BUG-1151208, update the code to use a secure SSL verification method instead of OpenSSL::SSL::VERIFY_NONE.
What are the implications of REDHAT-BUG-1151208?
The implications of REDHAT-BUG-1151208 include potential man-in-the-middle attacks due to lack of SSL verification.
Which software versions are affected by REDHAT-BUG-1151208?
REDHAT-BUG-1151208 affects various instances of Red Hat CloudForms where insecure SSL verification is implemented.
Is there a workaround for REDHAT-BUG-1151208?
A temporary workaround for REDHAT-BUG-1151208 is to manually implement SSL verification in the affected areas until a permanent fix is applied.

agent/references
agent/type
agent/last-modified-date
agent/first-publish-date
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2014-8164
agent/severity
agent/event
agent/description
agent/trending
agent/source
agent/softwarecombine
agent/tags
agent/guess-ai
agent/software-canonical-lookup
agent/software-canonical-lookup-request
vendor/red hat
canonical/red hat cloudforms management engine