<div dir="ltr">-----BEGIN PGP SIGNED MESSAGE-----<br>Hash: SHA512<br><br>======================================================================================<br>OSSA-2020-003: Keystone does not check signature TTL of the EC2 credential auth method<br>======================================================================================<br><br>:Date: May 06, 2020<br>:CVE: CVE-2020-12692<br><br><br>Affects<br>~~~~~~~<br>- - Keystone: <15.0.1, ==16.0.0<br><br><br>Description<br>~~~~~~~~~~~<br>kay reported a vulnerability with keystone's EC2 API. Keystone doesn't<br>have a signature TTL check for AWS signature V4 and an attacker can<br>sniff the auth header, then use it to reissue an openstack token an<br>unlimited number of times.<br><br><br>Errata<br>~~~~~~<br>CVE-2020-12692 was assigned after the original publication date.<br><br><br>Patches<br>~~~~~~~<br>- - <a href="https://review.opendev.org/725385">https://review.opendev.org/725385</a> (Rocky)<br>- - <a href="https://review.opendev.org/725069">https://review.opendev.org/725069</a> (Stein)<br>- - <a href="https://review.opendev.org/724954">https://review.opendev.org/724954</a> (Train)<br>- - <a href="https://review.opendev.org/724746">https://review.opendev.org/724746</a> (Ussuri)<br>- - <a href="https://review.opendev.org/724124">https://review.opendev.org/724124</a> (Victoria)<br><br><br>Credits<br>~~~~~~~<br>- - kay (CVE-2020-12692)<br><br><br>References<br>~~~~~~~~~~<br>- - <a href="https://launchpad.net/bugs/1872737">https://launchpad.net/bugs/1872737</a><br>- - <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12692">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12692</a><br><br><br>Notes<br>~~~~~<br>- - The stable/rocky branch is under extended maintenance and will receive no new<br>  point releases, but a patch for it is provided as a courtesy.<br><br><br>OSSA History<br>~~~~~~~~~~~~<br>- - 2020-05-07 - Errata 1<br>- - 2020-05-06 - Original Version<br>-----BEGIN PGP SIGNATURE-----<br><br>iQIzBAEBCgAdFiEEWa125cLHIuv6ekof56j9K3b+vREFAl60dXoACgkQ56j9K3b+<br>vREOnxAAtrb94nekVD1bjsjmp2bJsJoN4alwIySMJzDAXp9aU2j23jS3pEixLuBN<br>lkK6AA7BwKY5HgNtEeWrau+Ri+GOyYlhRMXZy+z+JC6+9qYxdFwcatL6yLYwkrOF<br>pMREuwbENZMBgl3HgIotJU/RqilZXf+7OLCO9ZaciaYvXkM3e5TswxYme9S+9r57<br>OQ6veWVEfTTadTK+wp9tZ4RzPcgKAwiCEX2w1uYBCAMrh+GAWFBEiD4J7IEOvs2u<br>TgnI/znFnQSb1f2CIYENGRevBFRvtILfovMI71rgwgNrof15Z6G6U3PW+yLPFaWg<br>rqQd3wEmmUPNF/RQdOIngktTXEkQI1DsUkCg/75EZlDVBayUP1qyP1nlK/uAwRoX<br>w0p6cPS/rREiOuCfCUKJ6tGg8e4/5o55cwbX/Bv/4KQxqCpD5W7XB1y81A0xnwsz<br>btBZkio3KZZltCST+dNrmLIm3ZxdGQoC+wA+BweaAiMZf2HP8sSOxegDOGhWvBPm<br>p23fH1kToH6vnGdGnp5SAIEcFg8Cu8LFVovZFHvfaN84XkRyX3Yqc+n88IauF0re<br>pFf1iegTAArgminNCuTKKswLNgLr5J6SkKH/LTb3/hKgduRabRzKcBreP371fuvP<br>K5/QCmXEyOT8HbQstWaEXmy9FvDh35lvmXtaKWBhB0LR8kWAY8s=<br>=fTyp<br>-----END PGP SIGNATURE-----<br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, May 6, 2020 at 2:41 PM Gage Hugo <<a href="mailto:gagehugo@gmail.com">gagehugo@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">-----BEGIN PGP SIGNED MESSAGE-----<br>Hash: SHA512<br><br>======================================================================================<br>OSSA-2020-003: Keystone does not check signature TTL of the EC2 credential auth method<br>======================================================================================<br><br>:Date: May 06, 2020<br>:CVE: Pending<br><br><br>Affects<br>~~~~~~~<br>- - Keystone: <15.0.1, ==16.0.0<br><br><br>Description<br>~~~~~~~~~~~<br>kay reported a vulnerability with keystone's EC2 API. Keystone doesn't<br>have a signature TTL check for AWS signature V4 and an attacker can<br>sniff the auth header, then use it to reissue an openstack token an<br>unlimited number of times.<br><br><br>Patches<br>~~~~~~~<br>- - <a href="https://review.opendev.org/725385" target="_blank">https://review.opendev.org/725385</a> (Rocky)<br>- - <a href="https://review.opendev.org/725069" target="_blank">https://review.opendev.org/725069</a> (Stein)<br>- - <a href="https://review.opendev.org/724954" target="_blank">https://review.opendev.org/724954</a> (Train)<br>- - <a href="https://review.opendev.org/724746" target="_blank">https://review.opendev.org/724746</a> (Ussuri)<br>- - <a href="https://review.opendev.org/724124" target="_blank">https://review.opendev.org/724124</a> (Victoria)<br><br><br>Credits<br>~~~~~~~<br>- - kay (CVE Pending)<br><br><br>References<br>~~~~~~~~~~<br>- - <a href="https://launchpad.net/bugs/1872737" target="_blank">https://launchpad.net/bugs/1872737</a><br>- - <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=Pending" target="_blank">http://cve.mitre.org/cgi-bin/cvename.cgi?name=Pending</a><br><br><br>Notes<br>~~~~~<br>- - The stable/rocky branch is under extended maintenance and will receive no new<br>  point releases, but a patch for it is provided as a courtesy.<br>-----BEGIN PGP SIGNATURE-----<br><br>iQIzBAEBCgAdFiEEWa125cLHIuv6ekof56j9K3b+vREFAl6zEjwACgkQ56j9K3b+<br>vRFejhAAvzq3MBwKGXIKsJxQmwVS0RxVFifTAfnKIjBGskG3knWkQHopY0IcmwoZ<br>3Kv2AnRgFVBuQpZ0t9Y3S3U7KRI63FT+kzA3gy9sB+h7rdqzquxejXvljRMGJlex<br>WRCOQwRP4prFpzpUqzBg9/bIAyWpkrjJIvz7iJ9U3z6MbrZIjV+YEZ3JIRQTdMUj<br>MajgwJ4EDynkh8trm63n7Gyuvq8ukj1FCrG1APWJi96HhwNz6XwiqXIWci4CTaEW<br>sY9v8luETMCyv+nY2pt9IF8wXOaJKJXPTilf6sisjN2zDq+UWgsxEC0sp3h09tnZ<br>m6cy3OvUQeDmdJVQ/VNsfUTeRYRvYri2u44FaOUBjsNxeZca1U4MCVkAiN9BBzkg<br>k1Xb8zgGoXaytT/lzzyr67h6ZghKm6cnSUktWnX56847byOMPi/g9q1cu0edUwwC<br>7SDaQ08JbsEstiXtPVBhatTLxbjlNy5eql6NaZmFQatYJAQKZsasvwV4YBv290mu<br>OsVHUEqjmYk4b4CZNPQC2681CDtAQpiLuasYiLnxC6I+zBTwfP+6tzP0xVHW4woi<br>4Jhl/watZMudrtMS3YoOmwZ4iFNJRzQcDWmiAr0CZiC0NGamLjvHWHRslnvmhy92<br>kSGWLilaMD5vBODXVY82lQHrbl96dPRbpe8/z29sALsEs6aNFYk=<br>=qyBV<br>-----END PGP SIGNATURE-----<br></div>
</blockquote></div>