Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20210810145441.lcjfteb3v7szp2bi@yuggoth.org>
Date: Tue, 10 Aug 2021 14:54:41 +0000
From: Jeremy Stanley <fungi@...goth.org>
To: oss-security@...ts.openwall.com
Subject: [OSSA-2021-003] Keystone: Account name and UUID oracles in account
 locking (CVE-2021-38155)

===============================================================
OSSA-2021-003: Account name and UUID oracles in account locking
===============================================================

:Date: August 10, 2021
:CVE: CVE-2021-38155


Affects
~~~~~~~
- Keystone: >=10.0.0 <16.0.2, >=17.0.0 <17.0.1, >=18.0.0 <18.0.1, >=19.0.0 <19.0.1


Description
~~~~~~~~~~~
Samuel de Medeiros Queiroz with Oi Cloud reported a vulnerability
affecting Keystone account locking. By guessing the name of an
account and failing to authenticate multiple times, any
unauthenticated actor could both confirm the account exists and
obtain that account's corresponding UUID, which might be leveraged
for other unrelated attacks. All Keystone deployments enabling
security_compliance.lockout_failure_attempts are affected.


Patches
~~~~~~~
- https://review.opendev.org/790444 (Train)
- https://review.opendev.org/790443 (Ussuri)
- https://review.opendev.org/790442 (Victoria)
- https://review.opendev.org/790440 (Wallaby)
- https://review.opendev.org/759940 (Xena)


Credits
~~~~~~~
- Samuel de Medeiros Queiroz from Oi Cloud (CVE-2021-38155)


References
~~~~~~~~~~
- https://launchpad.net/bugs/1688137
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38155

-- 
Jeremy Stanley

Download attachment "signature.asc" of type "application/pgp-signature" (964 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.