[openstack-announce] [OSSA 2013-005] Keystone EC2-style authentication accepts disabled user/tenants (CVE-2013-0282)
Thierry Carrez
thierry at openstack.org
Tue Feb 19 17:43:55 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
OpenStack Security Advisory: 2013-005
CVE: CVE-2013-0282
Date: February 19, 2013
Keystone EC2-style authentication accepts disabled user/tenants
Reporter: Nathanael Burton (National Security Agency)
Products: Keystone
Affects: All versions
Description:
Nathanael Burton reported a vulnerability in EC2-style authentication in
Keystone. Keystone fails to check whether a user, tenant, or domain is
enabled before authenticating a user using the EC2 api. Authenticated,
but disabled users (or authenticated users in disabled tenants or
domains) could therefore retain access rights that were thought removed.
Only setups enabling EC2-style authentication are affected. To disable
EC2-style authentication to work around the issue, remove the EC2
extension (keystone.contrib.ec2:Ec2Extension.factory) from the keystone
API pipeline in keystone.conf.
Grizzly (development branch) fix:
https://review.openstack.org/#/c/22319/
Folsom fix:
https://review.openstack.org/#/c/22320/
Essex fix:
https://review.openstack.org/#/c/22321/
References:
https://bugs.launchpad.net/keystone/+bug/1121494
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0282
- --
Thierry Carrez (ttx)
OpenStack Vulnerability Management Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iQIcBAEBCAAGBQJRI7nbAAoJEFB6+JAlsQQjGHgP/2yHBH4Yvzl3Q0P4oMr2Vskb
9xroi6sEQTgP/KaidIiV2lORdgSqYZZlylW3EbHnR1Io9natqCLfYkkEdpagTUxM
WcYXAJtBHbHN+hpeGiYojPsV1LmgIX81UrausX1k5U1ZtFkvOhrfhcXWPOozREkM
WwhYjaGl14dmIusE7h0uY7VNTiQMI9LAft18OfJMNFTwA/FmkxlPO/Jea8CUwDIl
LSLv+MRFw2M01TnsAYlnFsa9O7175q2DpNPCqXYjh38ewNBJHuArtuASkA7hHrMA
wYUzAS3lho9WuGVG/GwZk1V//GQhpzn/VWxRCmuOS3tpwTksbkXF36kwOnP5Vu5N
uo9jLBAovHIqfr0QGXGYMXA9Bu9jW5geUIuDNvpKkAFIiQVS3JcDWsqsu7otgjHY
HKUKmYF66BAJmmaM7aXPswGs61B6F3SLIZCneOp9N8PnT3PCR57++zMEjEWBYuLw
E4BDKPa1k2Q822hxWizhXAmkfc5t+AVk2kKPa9a5sMY2oNNrqtRR4+jMjXiS9CmU
gQs9VbXrmMy577zcCkzj7ci7fY0iFUtHW7PhFKUpHf2Mpr2/vLwc4p8g5da8bTwU
2swDuJ/KPsd66oEYjQW0CGBymMTkmbZWUX4InAj1ZynESW46cb/CAaS8oGk2I6dC
F3MMfAjNkfhO9srLLNoC
=fWOa
-----END PGP SIGNATURE-----
More information about the OpenStack-announce
mailing list