Bugzilla – Bug 848066
VUL-0: CVE-2013-4477: openstack-keystone: Unintentional role granting with Keystone LDAP backend
Last modified: 2014-03-28 08:27:30 UTC
via oss-sec From: Thierry Carrez | 29 Oct 2013 11:40 Subject: CVE request for a vulnerability in OpenStack Keystone A vulnerability was discovered in OpenStack (see below). In order to ensure full traceability, we need a CVE number assigned that we can attach to further notifications. This issue is already public, although an advisory was not sent yet. """ Title: Unintentional role granting with Keystone LDAP backend Reporter: The IBM OpenStack test team Products: Keystone Affects: Grizzly, Havana Description: The IBM OpenStack test team reported a vulnerability in role change code within the Keystone LDAP backend. When a role on a tenant is removed from a user, and that user doesn't have that role on the tenant, then the user may actually be granted the role on the tenant. A user could use social engineering and leverage that vulnerability to get extra roles granted, or may accidentally be granted extra roles. Only Keystone setups using a LDAP backend are affected. """ References: https://bugs.launchpad.net/keystone/+bug/1242855 Thanks in advance, http://comments.gmane.org/gmane.comp.security.oss.general/11385
CVE-2013-4477
A vulnerability was fixed publicly in OpenStack Keystone recently, and we think it warrants a security advisory to make sure everyone is aware of it. We obviously can't embargo anything here since the issue (and its fix) are public already, but we figured you would still appreciate a day heads-up before we publish the advisory and attract the rest of the world attention on the issue. Title: Unintentional role granting with Keystone LDAP backend Reporter: The IBM OpenStack test team Products: Keystone Affects: All supported versions Description: The IBM OpenStack test team reported a vulnerability in role change code within the Keystone LDAP backend. When a role on a tenant is removed from a user, and that user doesn't have that role on the tenant, then the user may actually be granted the role on the tenant. A user could use social engineering and leverage that vulnerability to get extra roles granted, or may accidentally be granted extra roles. Only Keystone setups using a LDAP backend are affected. Icehouse (development branch) fix: https://review.openstack.org/53012 Havana fix: https://review.openstack.org/53146 Grizzly fix: https://review.openstack.org/53154 Patches are also attached for your convenience. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4477 https://bugs.launchpad.net/keystone/+bug/1242855 Regards, -- Thierry Carrez OpenStack Vulnerability Management Team
bugbot adjusting priority
Sascha: here are the latest security issues we have.
sr#29776
The SWAMPID for this issue is 55533. This issue was rated as moderate. Please submit fixed packages until 2013-12-31. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
Update released for: openstack-keystone, openstack-keystone-doc, openstack-keystone-test, python-keystone Products: SUSE-CLOUD 2.0 (x86_64)
SUSE-SU-2014:0163-1: An update that solves two vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 837800,839876,843443,848066 CVE References: CVE-2013-4222,CVE-2013-4477 Sources used: SUSE Cloud 2.0 (src): openstack-keystone-2013.1.5.a2.g82dcde0-0.7.1, openstack-keystone-doc-2013.1.5.a2.g82dcde0-0.7.1
was this fixed pre cloud 3 shipment?
(In reply to comment #11) > was this fixed pre cloud 3 shipment? Yes; it doesn't appear in .changes because upstream doesn't refer to CVE in commits, though :/
done