OpenStack Security Advisory: 2014-029 CVE: CVE-2014-3621 Date: September 16, 2014 Title: Configuration option leak through Keystone catalog Reporter: Brant Knudson (IBM) Products: Keystone Versions: up to 2013.2.3 and 2014.1 versions up to 2014.1.2.1 Description: Brant Knudson from IBM reported a vulnerability in Keystone catalog url replacement. By creating a malicious endpoint a privileged user may reveal configuration options resulting in sensitive information, like master admin_token, being exposed through the service url. All Keystone setups that allow non-admin users to create endpoints are affected. Juno (development branch) fix: https://review.openstack.org/121889 Icehouse fix: https://review.openstack.org/121890 Havana fix: https://review.openstack.org/121891 Notes: This fix will be included in the Juno release 2014.2.0 and in future stable 2013.2.4 and 2014.1.3 releases. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3621 https://launchpad.net/bugs/1354208 -- Tristan Cacqueray OpenStack Vulnerability Management Team