[Openstack-announce] [OSSA 2012-013] Keystone, Lack of authorization for adding users to tenants (CVE-2012-3542)

30 Aug 2012


      -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
OpenStack Security Advisory: 2012-013
CVE: CVE-2012-3542
Date: August 30, 2012
Title: Lack of authorization for adding users to tenants
Impact: Critical
Reporter: Dolph Mathews (Rackspace)
Products: Keystone
Affects: Essex, Folsom
Description:
Dolph Mathews reported a vulnerability in Keystone. When attempting to
update a user's default tenant, Keystone will only partially deny the
request when a user is not authorized to complete this action. The API
responds with 401 Not Authorized and the user's default tenant is not
changed. However, the user is still granted membership to this new
tenant.The result is that any client that can reach the administrative
API (deployed on port 35357, by default) can add any user to any tenant.
Fixes:
Folsom:
https://github.com/openstack/keystone/commit/c13d0ba606f7b2bdc609a7f388334e5...
2012.1:
https://github.com/openstack/keystone/commit/5438d3b5a219d7c8fa67e66e538d325...
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-3542
https://bugs.launchpad.net/keystone/+bug/1040626
Notes:
This fix will be included in the folsom-rc1 development milestone and in
a future Essex (2012.1) release.
- -- 
Russell Bryant
OpenStack Vulnerability Management Team
...PGP SIGNATURE...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlA/iZEACgkQFg9ft4s9SAZ0zQCeKEqxWbDFum/f6l00H0x6FL2L
QEEAn3eer5owk4/lEktxTMrdIhtnyaaL
=vdh7
-----END PGP SIGNATURE-----