IBM7398AADDCEC1E8801F63ED967888EB9C9F0C821AE56F383051DA8F731A94DE4ESecurity Bulletin: IBM SmartCloud Orchestrator - OpenStack Compute SSL information disclosure (CVE-2013-6491)
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
Summary
An attacker might exploit this vulnerability using man-in-the-middle techniques to obtain sensitive information. The python-qpid client (common/rpc/impl_qpid.py) in OpenStack Oslo before 2013.2 does not enforce SSL connections when qpid_protocol is set to ssl. It allows remote attackers to obtain sensitive information by sniffing the network.
Vulnerability Details
CVE ID:CVE-2013-6491
DESCRIPTION:
OpenStack Compute SSL information disclosure
CVSS:
CVSS Base Score: 4.3
_CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/90915>__ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Affected Products and Versions
IBM SmartCloud Orchestrator V2.3, V2.3 Fix Pack 1, V2.2, and V2.2 Fix Pack 1
Remediation/Fixes
The recommended solution is to apply the fix as soon as practical. Upgrade to IBM SmartCloud Orchestrator 2.3 Fix Pack 1 Interim Fix 4.
Workarounds and Mitigations
None
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm smartcloud orchestrator | eq | 2.2 | |
| ibm smartcloud orchestrator | eq | 2.2.0.1 | |
| ibm smartcloud orchestrator | eq | 2.3 |
Related
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N