[Openstack-announce] [OSSA 2012-015] Some actions in Keystone admin API do not validate token (CVE-2012-4456)

Russell Bryant rbryant at redhat.com
Fri Sep 28 20:51:18 UTC 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

OpenStack Security Advisory: 2012-015
CVE: CVE-2012-4456
Date: September 28, 2012
Title: Some actions in Keystone admin API do not validate token
Impact: High
Reporter: Jason Xu
Products: Keystone
Affects: Essex (prior to 2012.1.2), Folsom (prior to folsom-2
development milestone)

Description:
Jaxon Xu reported a vulnerability in Keystone. Two admin API actions
did not require a valid token.  The first was listing roles for a
user.  The second was the ability to get, create, and delete services.

Folom Fixes: (Included in 2012.2)
http://github.com/openstack/keystone/commit/868054992faa45d6f42d822bf1588cb88d7c9ccb
http://github.com/openstack/keystone/commit/1d146f5c32e58a73a677d308370f147a3271c2cb

Essex Fixes: (Included in 2012.1.2)
http://github.com/openstack/keystone/commit/14b136aed9d988f5a8f3e699bd4577c9b874d6c1
http://github.com/openstack/keystone/commit/24df3adb3f50cbb5ada411bc67aba8a781e6a431

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4456
https://bugs.launchpad.net/keystone/+bug/1006815
https://bugs.launchpad.net/keystone/+bug/1006822

- -- 
Russell Bryant
OpenStack Vulnerability Management Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBmDcYACgkQFg9ft4s9SAam7wCgpJ6b7dcF/vZab3zTcNr0V84u
k2QAnAzwGx0H69iw6gVQApaCnd9V1lQk
=xR0F
-----END PGP SIGNATURE-----



More information about the OpenStack-announce mailing list