yahoo-eng-team team mailing list archive

[OpenStack Infra <1872735@xxxxxxxxxxxxxxxxxx>]

Reviewed:  https://review.opendev.org/725912
Committed: https://git.openstack.org/cgit/openstack/ossa/commit/?id=2548f46b0aff357f6c953b30179b4d8e151e4236
Submitter: Zuul
Branch:    master

commit 2548f46b0aff357f6c953b30179b4d8e151e4236
Author: Gage Hugo <gagehugo@xxxxxxxxx>
Date:   Wed May 6 10:57:15 2020 -0500

    Add OSSA-2020-004 (CVEs Pending)
    
    Change-Id: Ide28e91b184edab45d22c47661ad6bb6003dd244
    Closes-Bug: #1872735
    Closes-Bug: #1872733


** Changed in: ossa
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1872735

Title:
  EC2 and/or credential endpoints are not protected from a scoped
  context

Status in OpenStack Identity (keystone):
  In Progress
Status in OpenStack Security Advisory:
  Fix Released

Bug description:
  Being authorized within a limited scope context, i.e. trust / oauth / application credential with a limited role, e.g. "monitoring_viewer" or "viewer", it is still possible to create EC2 credentials. User can auth against Keystone using EC2 credentials and obtain all project roles
   of a trust/oauth/application_credential owner.

  I prepared a tool to auth against keyston using ec2 credentials:
  https://github.com/kayrus/ec2auth

  * auth against keystone using trust/oauth/application_credential credentials
  * issue ec2 credentials: "openstack ec2 credentials create"
  * authenticate against keystone using ec2 credentials: "ec2auth --access 7522162ced8f4e3eb9502168ef199584 --secret c558d9401a6943bbbb77a83ce910e5a5 --debug"

  You'll see that returned token contains all owner roles.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1872735/+subscriptions