<div dir="ltr">-----BEGIN PGP SIGNED MESSAGE-----<br>Hash: SHA512<br><br>======================================================================================<br>OSSA-2020-003: Keystone does not check signature TTL of the EC2 credential auth method<br>======================================================================================<br><br>:Date: May 06, 2020<br>:CVE: Pending<br><br><br>Affects<br>~~~~~~~<br>- - Keystone: <15.0.1, ==16.0.0<br><br><br>Description<br>~~~~~~~~~~~<br>kay reported a vulnerability with keystone's EC2 API. Keystone doesn't<br>have a signature TTL check for AWS signature V4 and an attacker can<br>sniff the auth header, then use it to reissue an openstack token an<br>unlimited number of times.<br><br><br>Patches<br>~~~~~~~<br>- - <a href="https://review.opendev.org/725385">https://review.opendev.org/725385</a> (Rocky)<br>- - <a href="https://review.opendev.org/725069">https://review.opendev.org/725069</a> (Stein)<br>- - <a href="https://review.opendev.org/724954">https://review.opendev.org/724954</a> (Train)<br>- - <a href="https://review.opendev.org/724746">https://review.opendev.org/724746</a> (Ussuri)<br>- - <a href="https://review.opendev.org/724124">https://review.opendev.org/724124</a> (Victoria)<br><br><br>Credits<br>~~~~~~~<br>- - kay (CVE Pending)<br><br><br>References<br>~~~~~~~~~~<br>- - <a href="https://launchpad.net/bugs/1872737">https://launchpad.net/bugs/1872737</a><br>- - <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=Pending">http://cve.mitre.org/cgi-bin/cvename.cgi?name=Pending</a><br><br><br>Notes<br>~~~~~<br>- - The stable/rocky branch is under extended maintenance and will receive no new<br>  point releases, but a patch for it is provided as a courtesy.<br>-----BEGIN PGP SIGNATURE-----<br><br>iQIzBAEBCgAdFiEEWa125cLHIuv6ekof56j9K3b+vREFAl6zEjwACgkQ56j9K3b+<br>vRFejhAAvzq3MBwKGXIKsJxQmwVS0RxVFifTAfnKIjBGskG3knWkQHopY0IcmwoZ<br>3Kv2AnRgFVBuQpZ0t9Y3S3U7KRI63FT+kzA3gy9sB+h7rdqzquxejXvljRMGJlex<br>WRCOQwRP4prFpzpUqzBg9/bIAyWpkrjJIvz7iJ9U3z6MbrZIjV+YEZ3JIRQTdMUj<br>MajgwJ4EDynkh8trm63n7Gyuvq8ukj1FCrG1APWJi96HhwNz6XwiqXIWci4CTaEW<br>sY9v8luETMCyv+nY2pt9IF8wXOaJKJXPTilf6sisjN2zDq+UWgsxEC0sp3h09tnZ<br>m6cy3OvUQeDmdJVQ/VNsfUTeRYRvYri2u44FaOUBjsNxeZca1U4MCVkAiN9BBzkg<br>k1Xb8zgGoXaytT/lzzyr67h6ZghKm6cnSUktWnX56847byOMPi/g9q1cu0edUwwC<br>7SDaQ08JbsEstiXtPVBhatTLxbjlNy5eql6NaZmFQatYJAQKZsasvwV4YBv290mu<br>OsVHUEqjmYk4b4CZNPQC2681CDtAQpiLuasYiLnxC6I+zBTwfP+6tzP0xVHW4woi<br>4Jhl/watZMudrtMS3YoOmwZ4iFNJRzQcDWmiAr0CZiC0NGamLjvHWHRslnvmhy92<br>kSGWLilaMD5vBODXVY82lQHrbl96dPRbpe8/z29sALsEs6aNFYk=<br>=qyBV<br>-----END PGP SIGNATURE-----<br></div>