← Back to team overview

openstack team mailing list archive

Re: [OSSA 2012-016] Token authorization for a user in a disabled tenant is allowed (CVE-2012-4457)

 

is the plan going forward to announce these on friday afternoons?

On Fri, Sep 28, 2012 at 4:50 PM, Russell Bryant <rbryant@xxxxxxxxxx> wrote:
> OpenStack Security Advisory: 2012-016
> CVE: CVE-2012-4457
> Date: September 28, 2012
> Title: Token authorization for a user in a disabled tenant is allowed
> Impact: High
> Reporter: Rohit Karajgi (NTT Data)
> Affects: Essex (prior to 2012.1.2), Folsom (prior to folsom-3
> development milestone)
>
> Description:
> Rohit Karajgi reported a vulnerability in Keystone. It was possible to
> get a token that is authorized for a disabled tenant. Once the token is
> established with authorization on the tenant, keystone would respond 200
> OK to token validation requests from other OpenStack services, allowing
> the user to work with the tenant's resources.
>
> Folsom fix: (Included in 2012.2)
> http://github.com/openstack/keystone/commit/4ebfdfaf23c6da8e3c182bf3ec2cb2b7132ef685
>
> Essex fix: (Included in 2012.1.2)
> http://github.com/openstack/keystone/commit/5373601bbdda10f879c08af1698852142b75f8d5
>
> References:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4457
> https://bugs.launchpad.net/keystone/+bug/988920
>
> --
> Russell Bryant
> OpenStack Vulnerability Management Team
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp


Follow ups

References