OpenStack Security Advisory: 2014-018 CVE: CVE-2014-3476 Date: June 12, 2014 Title: Keystone privilege escalation through trust chained delegation Reporter: Steven Hardy (Red Hat) Products: Keystone Versions: up to 2013.2.3, and 2014.1 to 2014.1.1 Description: Steven Hardy from Red Hat reported a vulnerability in Keystone chained delegation. By creating a delegation from a trust or OAuth token, a trustee may abuse the identity impersonation against keystone and circumvent the enforced scope, resulting in potential elevated privileges to any of the trustor's projects and or roles. All Keystone deployments configured to enable trusts are affected, which has been the default since Grizzly. Juno (development branch) fix: https://review.openstack.org/99687 Icehouse fix: https://review.openstack.org/99700 Havana fix: https://review.openstack.org/99703 Notes: This fix will be included in the Juno-2 development milestone and in future 2013.2.4 and 2014.1.2 releases. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3476 https://launchpad.net/bugs/1324592 -- Tristan Cacqueray OpenStack Vulnerability Management Team -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 538 bytes Desc: OpenPGP digital signature URL: <http://lists.openstack.org/pipermail/openstack-announce/attachments/20140612/aeb75a3b/attachment.pgp>