OpenStack Security Advisory: 2014-029 CVE: CVE-2014-3621 Date: September 16, 2014 Title: Configuration option leak through Keystone catalog Reporter: Brant Knudson (IBM) Products: Keystone Versions: up to 2013.2.3 and 2014.1 versions up to 2014.1.2.1 Description: Brant Knudson from IBM reported a vulnerability in Keystone catalog url replacement. By creating a malicious endpoint a privileged user may reveal configuration options resulting in sensitive information, like master admin_token, being exposed through the service url. All Keystone setups that allow non-admin users to create endpoints are affected. Juno (development branch) fix: https://review.openstack.org/121889 Icehouse fix: https://review.openstack.org/121890 Havana fix: https://review.openstack.org/121891 Notes: This fix will be included in the Juno release 2014.2.0 and in future stable 2013.2.4 and 2014.1.3 releases. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3621 https://launchpad.net/bugs/1354208 -- Tristan Cacqueray OpenStack Vulnerability Management Team -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140916/0f277814/attachment.sig>