-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256

OpenStack Security Advisory: 2013-028 CVE: CVE-2013-4477 Date: October 30, 2013 Title: Unintentional role granting with Keystone LDAP backend Reporter: The IBM OpenStack test team Products: Keystone Affects: All supported versions

Description: The IBM OpenStack test team reported a vulnerability in role change code within the Keystone LDAP backend. When a role on a tenant is removed from a user, and that user doesn't have that role on the tenant, then the user may actually be granted the role on the tenant. A user could use social engineering and leverage that vulnerability to get extra roles granted, or may accidentally be granted extra roles. Only Keystone setups using a LDAP backend are affected.

Icehouse (development branch) fix: https://review.openstack.org/53012

Havana fix: https://review.openstack.org/53146

Grizzly fix: https://review.openstack.org/53154

References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4477 https://bugs.launchpad.net/keystone/+bug/1242855

Regards,

- -- Thierry Carrez OpenStack Vulnerability Management Team