Vulnerability Description
It was found that CloudForms does not verify that the server hostname matches the domain name in the certificate when using a custom CA and communicating with Red Hat Virtualization (RHEV) and OpenShift. This would allow an attacker to spoof RHEV or OpenShift systems and potentially harvest sensitive information from CloudForms.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Redhat | Cloudforms | 4.5 |
| Redhat | Cloudforms Management Engine | 5.8 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/98769Third Party AdvisoryVDB Entry
- http://www.securitytracker.com/id/1038599Third Party AdvisoryVDB Entry
- https://access.redhat.com/errata/RHSA-2017:1367Vendor Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2639Issue TrackingVendor Advisory
- http://www.securityfocus.com/bid/98769Third Party AdvisoryVDB Entry
- http://www.securitytracker.com/id/1038599Third Party AdvisoryVDB Entry
- https://access.redhat.com/errata/RHSA-2017:1367Vendor Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2639Issue TrackingVendor Advisory
FAQ
What is CVE-2017-2639?
CVE-2017-2639 is a vulnerability with a CVSS score of 6.5 (MEDIUM). It was found that CloudForms does not verify that the server hostname matches the domain name in the certificate when using a custom CA and communicating with Red Hat Virtualization (RHEV) and OpenShi...
How severe is CVE-2017-2639?
CVE-2017-2639 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-2639?
Check the references section above for vendor advisories and patch information. Affected products include: Redhat Cloudforms, Redhat Cloudforms Management Engine.