-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
====================================================================================== OSSA-2020-003: Keystone does not check signature TTL of the EC2 credential auth method ======================================================================================
:Date: May 06, 2020 :CVE: Pending
Affects ~~~~~~~ - - Keystone: <15.0.1, ==16.0.0
Description ~~~~~~~~~~~ kay reported a vulnerability with keystone's EC2 API. Keystone doesn't have a signature TTL check for AWS signature V4 and an attacker can sniff the auth header, then use it to reissue an openstack token an unlimited number of times.
Patches ~~~~~~~ - - https://review.opendev.org/725385 (Rocky) - - https://review.opendev.org/725069 (Stein) - - https://review.opendev.org/724954 (Train) - - https://review.opendev.org/724746 (Ussuri) - - https://review.opendev.org/724124 (Victoria)
Credits ~~~~~~~ - - kay (CVE Pending)
References ~~~~~~~~~~ - - https://launchpad.net/bugs/1872737 - - http://cve.mitre.org/cgi-bin/cvename.cgi?name=Pending
Notes ~~~~~ - - The stable/rocky branch is under extended maintenance and will receive no new point releases, but a patch for it is provided as a courtesy.