Vulnerability Description
It was discovered that rpm-ostree and rpm-ostree-client before 2017.3 fail to properly check GPG signatures on packages when doing layering. Packages with unsigned or badly signed content could fail to be rejected as expected. This issue is partially mitigated on RHEL Atomic Host, where certificate pinning is used by default.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Rpm-Ostree | Rpm-Ostree | < 2017.3 |
| Rpm-Ostree | Rpm-Ostree-Client | < 2017.3 |
| Redhat | Enterprise Linux | 7.0 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/96558Third Party AdvisoryVDB Entry
- https://access.redhat.com/errata/RHSA-2017:0444Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2623Issue TrackingThird Party Advisory
- http://www.securityfocus.com/bid/96558Third Party AdvisoryVDB Entry
- https://access.redhat.com/errata/RHSA-2017:0444Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2623Issue TrackingThird Party Advisory
FAQ
What is CVE-2017-2623?
CVE-2017-2623 is a vulnerability with a CVSS score of 5.3 (MEDIUM). It was discovered that rpm-ostree and rpm-ostree-client before 2017.3 fail to properly check GPG signatures on packages when doing layering. Packages with unsigned or badly signed content could fail t...
How severe is CVE-2017-2623?
CVE-2017-2623 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-2623?
Check the references section above for vendor advisories and patch information. Affected products include: Rpm-Ostree Rpm-Ostree, Rpm-Ostree Rpm-Ostree-Client, Redhat Enterprise Linux.