Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <50B63027.6060506@openstack.org>
Date: Wed, 28 Nov 2012 16:39:19 +0100
From: Thierry Carrez <thierry@...nstack.org>
To: "openstack@...ts.launchpad.net" <openstack@...ts.launchpad.net>, 
 oss-security@...ts.openwall.com, openstack-announce@...ts.openstack.org
Subject: [OSSA 2012-018] EC2-style credentials invalidation issue (CVE-2012-5571)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

OpenStack Security Advisory: 2012-018
CVE: CVE-2012-5571
Date: November 28, 2012
Title: EC2-style credentials invalidation issue
Reporter: Vijaya Erukala
Products: Keystone
Affects: All versions

Description:
Vijaya Erukala reported a vulnerability in Keystone EC2-style
credentials invalidation: when a user is removed from a tenant, issued
EC2-style credentials would continue to be valid for that tenant. An
authenticated and authorized user could potentially leverage this
vulnerability to extend his access beyond the account owner
expectations. Only setups enabling EC2-style credentials (for example
enabling EC2 API in Nova) are affected.

Grizzly (development branch) fix:
http://github.com/openstack/keystone/commit/9d68b40cb9ea818c48152e6c712ff41586ad9653

Folsom fix (included in upcoming Keystone 2012.2.1 stable update):
http://github.com/openstack/keystone/commit/37308dd4f3e33f7bd0f71d83fd51734d1870713b

Essex fix:
http://github.com/openstack/keystone/commit/8735009dc5b895db265a1cd573f39f4acfca2a19

References:
https://bugs.launchpad.net/keystone/+bug/1064914
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-5571

- -- 
Thierry Carrez (ttx)
OpenStack Vulnerability Management Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBCAAGBQJQtjAkAAoJEFB6+JAlsQQj+4sP/0uKJHxXeCY3HcAdMUtkYP+5
QyQGnscOhlggr9iE3ifPWkiLALPbfVrdwp/nJr0psXiUnf60QX4Pfj63VJz23DSf
1Hk/Z3yY5oWmCCgT8/DMgw+SPhkn09YfS6f5KwuMR5zdEX345myp2MFcc1/mgNzx
CfVKagHoCq8rrIhTjhAvyy5iwY/ZvbDFIgWKzgr3KCSm+76QuIqIoXHkdiCGYm4q
OMfKEcS1WQZlmUddc54fR2g6kFY/sIsVKGdCtqJBqc6COU+MyUuhNvs7niXGK1Ep
cU3U7tV6JCK58K70vgtQ0O5EWcDKm/Yfh5Sf/wmJTDwE2UxI8OGNEAzNJl/qxdEw
iMUp/qRObtnN2t7pF2Rf7/ixZsTWSxpFToq6BZl4O4pghqQZQgZ9dGVgtSFkX8Tn
crMjs8oWwtJuu1/paHje0O+9Y23NHMIdAg3ccjJUkC8MxfcnrxZkYd5XHZytecff
iWPUWmm3ISFkOQQPuemah0vcu2Y+YvhjEY9b5nL2Ew6I/E4DeYxL1HwpeBA0lzrt
w7nQgWCyf+ERz2g1liesuaSJ0CPBmKe93ji20kVvHTV9IRXmC3zK/SDhXtgultVo
DmY/ovoUjTw9sg60CceTNXAUz4/4QbbUV79vFQ/06sThZ8t7ZW1kTfOrTSG6M4uw
a557x0IhXfUedbbLCsE6
=+0zu
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.