Peter Feiner from Gridcentric, Inc. deserves special mention for independently reporting the same underlying error: https://bugs.launchpad.net/python-keystoneclient/+bug/1289074 He also suggested an approach to fix the error which closed the security vulnerability as well. Thanks, Peter! On Thu, Mar 27, 2014 at 10:00 AM, Tristan Cacqueray < tristan.cacqueray at enovance.com> wrote: > OpenStack Security Advisory: 2014-007 > CVE: CVE-2014-0105 > Date: March 27, 2014 > Title: Potential context confusion in Keystone middleware > Reporter: Kieran Spear (University of Melbourne) > Products: python-keystoneclient > Versions: All versions up to 0.6.0 > > Description: > Kieran Spear from the University of Melbourne reported a vulnerability > in Keystone auth_token middleware (shipped in python-keystoneclient). By > doing repeated requests, with sufficient load on the target system, an > authenticated user may in certain situations assume another > authenticated user's complete identity and multi-tenant authorizations, > potentially resulting in a privilege escalation. Note that it is related > to a bad interaction between eventlet and python-memcached that should > be avoided if the calling process already monkey-patches "thread" to use > eventlet. Only keystone middleware setups using auth_token with memcache > are vulnerable. > > python-keystoneclient fix (included in 0.7.0 release): > https://review.openstack.org/81078 > > References: > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0105 > https://bugs.launchpad.net/bugs/1282865 > > -- > Tristan Cacqueray > OpenStack Vulnerability Management Team > > > > > _______________________________________________ > Mailing list: > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > Post to : openstack at lists.openstack.org > Unsubscribe : > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140327/a12091ea/attachment.html>