-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256

OpenStack Security Advisory: 2013-005 CVE: CVE-2013-0282 Date: February 19, 2013 Keystone EC2-style authentication accepts disabled user/tenants Reporter: Nathanael Burton (National Security Agency) Products: Keystone Affects: All versions

Description: Nathanael Burton reported a vulnerability in EC2-style authentication in Keystone. Keystone fails to check whether a user, tenant, or domain is enabled before authenticating a user using the EC2 api. Authenticated, but disabled users (or authenticated users in disabled tenants or domains) could therefore retain access rights that were thought removed. Only setups enabling EC2-style authentication are affected. To disable EC2-style authentication to work around the issue, remove the EC2 extension (keystone.contrib.ec2:Ec2Extension.factory) from the keystone API pipeline in keystone.conf.

Grizzly (development branch) fix: https://review.openstack.org/#/c/22319/

Folsom fix: https://review.openstack.org/#/c/22320/

Essex fix: https://review.openstack.org/#/c/22321/

References: https://bugs.launchpad.net/keystone/+bug/1121494 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0282

- -- Thierry Carrez (ttx) OpenStack Vulnerability Management Team