[Openstack-announce] [OSSA 2012-015] Some actions in Keystone admin API do not validate token (CVE-2012-4456)

28 Sep 2012


      -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
OpenStack Security Advisory: 2012-015
CVE: CVE-2012-4456
Date: September 28, 2012
Title: Some actions in Keystone admin API do not validate token
Impact: High
Reporter: Jason Xu
Products: Keystone
Affects: Essex (prior to 2012.1.2), Folsom (prior to folsom-2
development milestone)
Description:
Jaxon Xu reported a vulnerability in Keystone. Two admin API actions
did not require a valid token.  The first was listing roles for a
user.  The second was the ability to get, create, and delete services.
Folom Fixes: (Included in 2012.2)
http://github.com/openstack/keystone/commit/868054992faa45d6f42d822bf1588cb8...
http://github.com/openstack/keystone/commit/1d146f5c32e58a73a677d308370f147a...
Essex Fixes: (Included in 2012.1.2)
http://github.com/openstack/keystone/commit/14b136aed9d988f5a8f3e699bd4577c9...
http://github.com/openstack/keystone/commit/24df3adb3f50cbb5ada411bc67aba8a7...
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4456
https://bugs.launchpad.net/keystone/+bug/1006815
https://bugs.launchpad.net/keystone/+bug/1006822
- -- 
Russell Bryant
OpenStack Vulnerability Management Team
...PGP SIGNATURE...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBmDcYACgkQFg9ft4s9SAam7wCgpJ6b7dcF/vZab3zTcNr0V84u
k2QAnAzwGx0H69iw6gVQApaCnd9V1lQk
=xR0F
-----END PGP SIGNATURE-----