CVE-2017-2623
Last modified
CVE-2017-2623 is a vulnerability of currently unknown severity. It was discovered that rpm-ostree and rpm-ostree-client before 2017.3 fail to properly check GPG signatures on packages when doing layering. Packages with unsigned or badly signed content could fail to be rejected as expected. EPSS estimates a 1.03% chance of exploitation in the next 30 days.
Description
It was discovered that rpm-ostree and rpm-ostree-client before 2017.3 fail to properly check GPG signatures on packages when doing layering. Packages with unsigned or badly signed content could fail to be rejected as expected. This issue is partially mitigated on RHEL Atomic Host, where certificate pinning is used by default.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Rpm-Ostree | Rpm-Ostree | < 2017.3 |
| Rpm-Ostree | Rpm-Ostree-Client | < 2017.3 |
| Redhat | Enterprise Linux | 7.0 |
References
- http://www.securityfocus.com/bid/96558Third Party Advisory, VDB Entry
- https://access.redhat.com/errata/RHSA-2017:0444Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2623Issue Tracking, Third Party Advisory
- http://www.securityfocus.com/bid/96558Third Party Advisory, VDB Entry
- https://access.redhat.com/errata/RHSA-2017:0444Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2623Issue Tracking, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2017-2623?
How severe is CVE-2017-2623?
How do I fix CVE-2017-2623?
Are you affected by CVE-2017-2623?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST