-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 OpenStack Security Advisory: 2012-013 CVE: CVE-2012-3542 Date: August 30, 2012 Title: Lack of authorization for adding users to tenants Impact: Critical Reporter: Dolph Mathews (Rackspace) Products: Keystone Affects: Essex, Folsom Description: Dolph Mathews reported a vulnerability in Keystone. When attempting to update a user's default tenant, Keystone will only partially deny the request when a user is not authorized to complete this action. The API responds with 401 Not Authorized and the user's default tenant is not changed. However, the user is still granted membership to this new tenant.The result is that any client that can reach the administrative API (deployed on port 35357, by default) can add any user to any tenant. Fixes: Folsom: https://github.com/openstack/keystone/commit/c13d0ba606f7b2bdc609a7f388334e5... 2012.1: https://github.com/openstack/keystone/commit/5438d3b5a219d7c8fa67e66e538d325... References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-3542 https://bugs.launchpad.net/keystone/+bug/1040626 Notes: This fix will be included in the folsom-rc1 development milestone and in a future Essex (2012.1) release. - -- Russell Bryant OpenStack Vulnerability Management Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlA/iZEACgkQFg9ft4s9SAZ0zQCeKEqxWbDFum/f6l00H0x6FL2L QEEAn3eer5owk4/lEktxTMrdIhtnyaaL =vdh7 -----END PGP SIGNATURE-----