Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <503F8991.9040505@redhat.com>
Date: Thu, 30 Aug 2012 11:41:05 -0400
From: Russell Bryant <rbryant@...hat.com>
To: "openstack@...ts.launchpad.net" <openstack@...ts.launchpad.net>,
        oss-security@...ts.openwall.com,
        openstack-announce@...ts.openstack.org
Subject: [OSSA 2012-013] Keystone, Lack of authorization for adding users
 to tenants (CVE-2012-3542)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

OpenStack Security Advisory: 2012-013
CVE: CVE-2012-3542
Date: August 30, 2012
Title: Lack of authorization for adding users to tenants
Impact: Critical
Reporter: Dolph Mathews (Rackspace)
Products: Keystone
Affects: Essex, Folsom

Description:
Dolph Mathews reported a vulnerability in Keystone. When attempting to
update a user's default tenant, Keystone will only partially deny the
request when a user is not authorized to complete this action. The API
responds with 401 Not Authorized and the user's default tenant is not
changed. However, the user is still granted membership to this new
tenant.The result is that any client that can reach the administrative
API (deployed on port 35357, by default) can add any user to any tenant.

Fixes:
Folsom:
https://github.com/openstack/keystone/commit/c13d0ba606f7b2bdc609a7f388334e5efec3f3aa
2012.1:
https://github.com/openstack/keystone/commit/5438d3b5a219d7c8fa67e66e538d325a61617155

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-3542
https://bugs.launchpad.net/keystone/+bug/1040626

Notes:
This fix will be included in the folsom-rc1 development milestone and in
a future Essex (2012.1) release.

- -- 
Russell Bryant
OpenStack Vulnerability Management Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlA/iZEACgkQFg9ft4s9SAZ0zQCeKEqxWbDFum/f6l00H0x6FL2L
QEEAn3eer5owk4/lEktxTMrdIhtnyaaL
=vdh7
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.