-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

OpenStack Security Advisory: 2012-015 CVE: CVE-2012-4456 Date: September 28, 2012 Title: Some actions in Keystone admin API do not validate token Impact: High Reporter: Jason Xu Products: Keystone Affects: Essex (prior to 2012.1.2), Folsom (prior to folsom-2 development milestone)

Description: Jaxon Xu reported a vulnerability in Keystone. Two admin API actions did not require a valid token. The first was listing roles for a user. The second was the ability to get, create, and delete services.

Folom Fixes: (Included in 2012.2) http://github.com/openstack/keystone/commit/868054992faa45d6f42d822bf1588cb8... http://github.com/openstack/keystone/commit/1d146f5c32e58a73a677d308370f147a...

Essex Fixes: (Included in 2012.1.2) http://github.com/openstack/keystone/commit/14b136aed9d988f5a8f3e699bd4577c9... http://github.com/openstack/keystone/commit/24df3adb3f50cbb5ada411bc67aba8a7...

References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4456 https://bugs.launchpad.net/keystone/+bug/1006815 https://bugs.launchpad.net/keystone/+bug/1006822

- -- Russell Bryant OpenStack Vulnerability Management Team