-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 OpenStack Security Advisory: 2012-018 CVE: CVE-2012-5571 Date: November 28, 2012 Title: EC2-style credentials invalidation issue Reporter: Vijaya Erukala Products: Keystone Affects: All versions Description: Vijaya Erukala reported a vulnerability in Keystone EC2-style credentials invalidation: when a user is removed from a tenant, issued EC2-style credentials would continue to be valid for that tenant. An authenticated and authorized user could potentially leverage this vulnerability to extend his access beyond the account owner expectations. Only setups enabling EC2-style credentials (for example enabling EC2 API in Nova) are affected. Grizzly (development branch) fix: http://github.com/openstack/keystone/commit/9d68b40cb9ea818c48152e6c712ff415... Folsom fix (included in upcoming Keystone 2012.2.1 stable update): http://github.com/openstack/keystone/commit/37308dd4f3e33f7bd0f71d83fd51734d... Essex fix: http://github.com/openstack/keystone/commit/8735009dc5b895db265a1cd573f39f4a... References: https://bugs.launchpad.net/keystone/+bug/1064914 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-5571 - -- Thierry Carrez (ttx) OpenStack Vulnerability Management Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBCAAGBQJQtjAkAAoJEFB6+JAlsQQj+4sP/0uKJHxXeCY3HcAdMUtkYP+5 QyQGnscOhlggr9iE3ifPWkiLALPbfVrdwp/nJr0psXiUnf60QX4Pfj63VJz23DSf 1Hk/Z3yY5oWmCCgT8/DMgw+SPhkn09YfS6f5KwuMR5zdEX345myp2MFcc1/mgNzx CfVKagHoCq8rrIhTjhAvyy5iwY/ZvbDFIgWKzgr3KCSm+76QuIqIoXHkdiCGYm4q OMfKEcS1WQZlmUddc54fR2g6kFY/sIsVKGdCtqJBqc6COU+MyUuhNvs7niXGK1Ep cU3U7tV6JCK58K70vgtQ0O5EWcDKm/Yfh5Sf/wmJTDwE2UxI8OGNEAzNJl/qxdEw iMUp/qRObtnN2t7pF2Rf7/ixZsTWSxpFToq6BZl4O4pghqQZQgZ9dGVgtSFkX8Tn crMjs8oWwtJuu1/paHje0O+9Y23NHMIdAg3ccjJUkC8MxfcnrxZkYd5XHZytecff iWPUWmm3ISFkOQQPuemah0vcu2Y+YvhjEY9b5nL2Ew6I/E4DeYxL1HwpeBA0lzrt w7nQgWCyf+ERz2g1liesuaSJ0CPBmKe93ji20kVvHTV9IRXmC3zK/SDhXtgultVo DmY/ovoUjTw9sg60CceTNXAUz4/4QbbUV79vFQ/06sThZ8t7ZW1kTfOrTSG6M4uw a557x0IhXfUedbbLCsE6 =+0zu -----END PGP SIGNATURE-----