[OSSA-2021-003] Keystone: Account name and UUID oracles in account locking (CVE-2021-38155)

Jeremy Stanley fungi at yuggoth.org
Tue Aug 10 14:50:30 UTC 2021

OSSA-2021-003: Account name and UUID oracles in account locking

:Date: August 10, 2021
:CVE: CVE-2021-38155

- Keystone: >=10.0.0 <16.0.2, >=17.0.0 <17.0.1, >=18.0.0 <18.0.1, >=19.0.0 <19.0.1

Samuel de Medeiros Queiroz with Oi Cloud reported a vulnerability
affecting Keystone account locking. By guessing the name of an
account and failing to authenticate multiple times, any
unauthenticated actor could both confirm the account exists and
obtain that account's corresponding UUID, which might be leveraged
for other unrelated attacks. All Keystone deployments enabling
security_compliance.lockout_failure_attempts are affected.

- https://review.opendev.org/790444 (Train)
- https://review.opendev.org/790443 (Ussuri)
- https://review.opendev.org/790442 (Victoria)
- https://review.opendev.org/790440 (Wallaby)
- https://review.opendev.org/759940 (Xena)

- Samuel de Medeiros Queiroz from Oi Cloud (CVE-2021-38155)

- https://launchpad.net/bugs/1688137
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38155

Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20210810/f1f47321/attachment.sig>

More information about the openstack-discuss mailing list