openstack team mailing list archive

Thread
Date

[OSSA 2012-018] EC2-style credentials invalidation issue (CVE-2012-5571)

To: "openstack@xxxxxxxxxxxxxxxxxxx" <openstack@xxxxxxxxxxxxxxxxxxx>, oss-security@xxxxxxxxxxxxxxxxxx, openstack-announce@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry@xxxxxxxxxxxxx>
Date: Wed, 28 Nov 2012 16:39:19 +0100
Organization: OpenStack
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/17.0 Thunderbird/17.0

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

OpenStack Security Advisory: 2012-018
CVE: CVE-2012-5571
Date: November 28, 2012
Title: EC2-style credentials invalidation issue
Reporter: Vijaya Erukala
Products: Keystone
Affects: All versions

Description:
Vijaya Erukala reported a vulnerability in Keystone EC2-style
credentials invalidation: when a user is removed from a tenant, issued
EC2-style credentials would continue to be valid for that tenant. An
authenticated and authorized user could potentially leverage this
vulnerability to extend his access beyond the account owner
expectations. Only setups enabling EC2-style credentials (for example
enabling EC2 API in Nova) are affected.

Grizzly (development branch) fix:
http://github.com/openstack/keystone/commit/9d68b40cb9ea818c48152e6c712ff41586ad9653

Folsom fix (included in upcoming Keystone 2012.2.1 stable update):
http://github.com/openstack/keystone/commit/37308dd4f3e33f7bd0f71d83fd51734d1870713b

Essex fix:
http://github.com/openstack/keystone/commit/8735009dc5b895db265a1cd573f39f4acfca2a19

References:
https://bugs.launchpad.net/keystone/+bug/1064914
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-5571

- -- 
Thierry Carrez (ttx)
OpenStack Vulnerability Management Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBCAAGBQJQtjAkAAoJEFB6+JAlsQQj+4sP/0uKJHxXeCY3HcAdMUtkYP+5
QyQGnscOhlggr9iE3ifPWkiLALPbfVrdwp/nJr0psXiUnf60QX4Pfj63VJz23DSf
1Hk/Z3yY5oWmCCgT8/DMgw+SPhkn09YfS6f5KwuMR5zdEX345myp2MFcc1/mgNzx
CfVKagHoCq8rrIhTjhAvyy5iwY/ZvbDFIgWKzgr3KCSm+76QuIqIoXHkdiCGYm4q
OMfKEcS1WQZlmUddc54fR2g6kFY/sIsVKGdCtqJBqc6COU+MyUuhNvs7niXGK1Ep
cU3U7tV6JCK58K70vgtQ0O5EWcDKm/Yfh5Sf/wmJTDwE2UxI8OGNEAzNJl/qxdEw
iMUp/qRObtnN2t7pF2Rf7/ixZsTWSxpFToq6BZl4O4pghqQZQgZ9dGVgtSFkX8Tn
crMjs8oWwtJuu1/paHje0O+9Y23NHMIdAg3ccjJUkC8MxfcnrxZkYd5XHZytecff
iWPUWmm3ISFkOQQPuemah0vcu2Y+YvhjEY9b5nL2Ew6I/E4DeYxL1HwpeBA0lzrt
w7nQgWCyf+ERz2g1liesuaSJ0CPBmKe93ji20kVvHTV9IRXmC3zK/SDhXtgultVo
DmY/ovoUjTw9sg60CceTNXAUz4/4QbbUV79vFQ/06sThZ8t7ZW1kTfOrTSG6M4uw
a557x0IhXfUedbbLCsE6
=+0zu
-----END PGP SIGNATURE-----