[openstack-announce] [OSSA 2013-028] Unintentional role granting with Keystone LDAP backend (CVE-2013-4477)

Thierry Carrez thierry at openstack.org
Wed Oct 30 16:35:45 UTC 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

OpenStack Security Advisory: 2013-028
CVE: CVE-2013-4477
Date: October 30, 2013
Title: Unintentional role granting with Keystone LDAP backend
Reporter: The IBM OpenStack test team
Products: Keystone
Affects: All supported versions

Description:
The IBM OpenStack test team reported a vulnerability in role change
code within the Keystone LDAP backend. When a role on a tenant is
removed from a user, and that user doesn't have that role on the
tenant, then the user may actually be granted the role on the tenant.
A user could use social engineering and leverage that vulnerability to
get extra roles granted, or may accidentally be granted extra roles.
Only Keystone setups using a LDAP backend are affected.

Icehouse (development branch) fix:
https://review.openstack.org/53012

Havana fix:
https://review.openstack.org/53146

Grizzly fix:
https://review.openstack.org/53154

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4477
https://bugs.launchpad.net/keystone/+bug/1242855

Regards,

- -- 
Thierry Carrez
OpenStack Vulnerability Management Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJScTVeAAoJEFB6+JAlsQQjJYkP/Aw7sQEKwKSLPbB/XO03TebK
xPiZrBEa4ayO1StiFkVgsWEFYltFpRlq6FwNePenSpT5yb6GzbYaV/AL2UbZYL3N
Zs+vVikk5nZENNd0HW5auywVcyC61IjjAVSOdZDrq6tLR3gheBm57TLZeAtmGv1r
EHc0SlRiuFlnnFN5Drvcfk3Y0MhcbvGE/wor+vfEXn96/3mqmuA2AZ9i7KpOsZnV
pGJMzd/d73JAW/SubhgBfLHmXqlcAhfU3jD9NRwW1wEHBQk/W+D4iZhtqSmSnpjI
htcAel/gv85pjmsTH5Cm8jXgEgHye3/B8uKIStzSIAW6hyv5amxTdpPchafqIyLl
xDivYmh5p+eZVh13sh6tWw12CIJz5784m5fiqyPh9bZYBZ60CXScO1P/LVb7RN+m
dVh7wfQg/kUWH0bj1TX3c8ntcU0+9ve4nVEse0D0X8g9UF8Xp4UJQnMi1DBpHPj1
CcdlAO780ftvmRjn84Zf1CDSNcdesD3e/tpxp+eJJ3fVev10Ga2E6AUVnolm/Pvs
a5tLe5gUpsEWVCx++cm8Lb+8ifzIJ55c05fOfvF23AHJ397fiwkZbhSHKj+Lwapt
XZIYR0ENw2Xc4m+AMjSXOZuFwOkZ5+C5ZlFVT5L2nezyl1vbg/Mx5w6XWzywBEo9
hmS58i+92JQMbV93nTLH
=rkrZ
-----END PGP SIGNATURE-----



More information about the OpenStack-announce mailing list