CVE-2017-7513

It was found that Satellite 5 configured with SSL/TLS for the PostgreSQL backend failed to correctly validate X.509 server certificate host name fields. A man-in-the-middle attacker could use this flaw to spoof a PostgreSQL server using a specially crafted X.509 certificate.

Weakness

The product does not validate, or incorrectly validates, a certificate.

Affected Software

Name	Vendor	Start Version	End Version
Satellite	Redhat	5.0 (including)	5.0 (including)
Satellite	Redhat	5.1.1 (including)	5.1.1 (including)
Satellite	Redhat	5.2 (including)	5.2 (including)
Satellite	Redhat	5.3 (including)	5.3 (including)
Satellite	Redhat	5.4 (including)	5.4 (including)
Satellite	Redhat	5.4.1 (including)	5.4.1 (including)
Satellite	Redhat	5.5 (including)	5.5 (including)
Satellite	Redhat	5.6 (including)	5.6 (including)
Satellite	Redhat	5.7 (including)	5.7 (including)
Satellite	Redhat	5.8 (including)	5.8 (including)

Potential Mitigations

https://cwe.mitre.org/data/definitions/459.html
https://cwe.mitre.org/data/definitions/475.html

References

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7513
https://access.redhat.com/security/cve/cve-2017-7513
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7513

NVD	https://nvd.nist.gov/vuln/detail/CVE-2017-7513
CWE	https://cwe.mitre.org/data/definitions/295.html

Improper Certificate Validation

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References