-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 OpenStack Security Advisory: 2012-015 CVE: CVE-2012-4456 Date: September 28, 2012 Title: Some actions in Keystone admin API do not validate token Impact: High Reporter: Jason Xu Products: Keystone Affects: Essex (prior to 2012.1.2), Folsom (prior to folsom-2 development milestone) Description: Jaxon Xu reported a vulnerability in Keystone. Two admin API actions did not require a valid token. The first was listing roles for a user. The second was the ability to get, create, and delete services. Folom Fixes: (Included in 2012.2) http://github.com/openstack/keystone/commit/868054992faa45d6f42d822bf1588cb8... http://github.com/openstack/keystone/commit/1d146f5c32e58a73a677d308370f147a... Essex Fixes: (Included in 2012.1.2) http://github.com/openstack/keystone/commit/14b136aed9d988f5a8f3e699bd4577c9... http://github.com/openstack/keystone/commit/24df3adb3f50cbb5ada411bc67aba8a7... References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4456 https://bugs.launchpad.net/keystone/+bug/1006815 https://bugs.launchpad.net/keystone/+bug/1006822 - -- Russell Bryant OpenStack Vulnerability Management Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBmDcYACgkQFg9ft4s9SAam7wCgpJ6b7dcF/vZab3zTcNr0V84u k2QAnAzwGx0H69iw6gVQApaCnd9V1lQk =xR0F -----END PGP SIGNATURE-----