Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAE4Awf9+28ooqR9jH5m=NkARWYazK0Utb8=NzqQzOhC5-1MjpQ@mail.gmail.com>
Date: Wed, 6 May 2020 14:44:27 -0500
From: Gage Hugo <gagehugo@...il.com>
To: oss-security@...ts.openwall.com
Subject: [OSSA-2020-003] Keystone: Keystone does not check signature TTL of
 the EC2 credential auth method (CVE PENDING)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

======================================================================================
OSSA-2020-003: Keystone does not check signature TTL of the EC2 credential
auth method
======================================================================================

:Date: May 06, 2020
:CVE: Pending


Affects
~~~~~~~
- - Keystone: <15.0.1, ==16.0.0


Description
~~~~~~~~~~~
kay reported a vulnerability with keystone's EC2 API. Keystone doesn't
have a signature TTL check for AWS signature V4 and an attacker can
sniff the auth header, then use it to reissue an openstack token an
unlimited number of times.


Patches
~~~~~~~
- - https://review.opendev.org/725385 (Rocky)
- - https://review.opendev.org/725069 (Stein)
- - https://review.opendev.org/724954 (Train)
- - https://review.opendev.org/724746 (Ussuri)
- - https://review.opendev.org/724124 (Victoria)


Credits
~~~~~~~
- - kay (CVE Pending)


References
~~~~~~~~~~
- - https://launchpad.net/bugs/1872737
- - http://cve.mitre.org/cgi-bin/cvename.cgi?name=Pending


Notes
~~~~~
- - The stable/rocky branch is under extended maintenance and will receive
no new
  point releases, but a patch for it is provided as a courtesy.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEWa125cLHIuv6ekof56j9K3b+vREFAl6zEjwACgkQ56j9K3b+
vRFejhAAvzq3MBwKGXIKsJxQmwVS0RxVFifTAfnKIjBGskG3knWkQHopY0IcmwoZ
3Kv2AnRgFVBuQpZ0t9Y3S3U7KRI63FT+kzA3gy9sB+h7rdqzquxejXvljRMGJlex
WRCOQwRP4prFpzpUqzBg9/bIAyWpkrjJIvz7iJ9U3z6MbrZIjV+YEZ3JIRQTdMUj
MajgwJ4EDynkh8trm63n7Gyuvq8ukj1FCrG1APWJi96HhwNz6XwiqXIWci4CTaEW
sY9v8luETMCyv+nY2pt9IF8wXOaJKJXPTilf6sisjN2zDq+UWgsxEC0sp3h09tnZ
m6cy3OvUQeDmdJVQ/VNsfUTeRYRvYri2u44FaOUBjsNxeZca1U4MCVkAiN9BBzkg
k1Xb8zgGoXaytT/lzzyr67h6ZghKm6cnSUktWnX56847byOMPi/g9q1cu0edUwwC
7SDaQ08JbsEstiXtPVBhatTLxbjlNy5eql6NaZmFQatYJAQKZsasvwV4YBv290mu
OsVHUEqjmYk4b4CZNPQC2681CDtAQpiLuasYiLnxC6I+zBTwfP+6tzP0xVHW4woi
4Jhl/watZMudrtMS3YoOmwZ4iFNJRzQcDWmiAr0CZiC0NGamLjvHWHRslnvmhy92
kSGWLilaMD5vBODXVY82lQHrbl96dPRbpe8/z29sALsEs6aNFYk=
=qyBV
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.