Bug 870102 - (CVE-2014-0105) VUL-0: CVE-2014-0105: python-keystoneclient: Potential context confusion in Keystone middleware
VUL-0: CVE-2014-0105: python-keystoneclient: Potential context confusion in K...
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Nanuk Krinner
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2014-03-25 09:51 UTC by Marcus Meissner
Modified: 2014-07-02 09:21 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

cve-2014-0105-master-0.7.0.patch (6.67 KB, patch)
2014-03-25 09:51 UTC, Marcus Meissner
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2014-03-25 09:51:22 UTC
EMBARGOED until 2014-03-27 15:00 UTC

from openstack, via distros, 

This is an advance warning of a vulnerability discovered in OpenStack,
to give you, as downstream stakeholders, a chance to coordinate the
release of fixes and reduce the vulnerability window. Please treat the
following information as confidential until the proposed public
disclosure date.

Title: Potential context confusion in Keystone middleware
Reporter: Kieran Spear (University of Melbourne)
Products: python-keystoneclient
Versions: All versions up to 0.6.0

Kieran Spear from the University of Melbourne reported a vulnerability
in Keystone auth_token middleware (shipped in python-keystoneclient). By
doing repeated requests, with sufficient load on the target system, an
authenticated user may in certain situations assume another
authenticated user's complete identity and multi-tenant authorizations,
potentially resulting in a privilege escalation. Note that it is related
to a bad interaction between eventlet and python-memcached that should
be avoided if the calling process already monkey-patches "thread" to use
eventlet. Only keystone middleware setups using auth_token with memcache
are vulnerable.

Proposed patch:
See attached patch. This patch has already been merged to the master
branch of python-keystoneclient and will be included in the 0.7.0 release.

CVE: CVE-2014-0105

Proposed public disclosure date/time:
2014-03-27 15:00 UTC
Please do not make the issue public (or release public patches) before
this coordinated embargo date.


Tristan Cacqueray
OpenStack Vulnerability Management Team
Comment 1 Marcus Meissner 2014-03-25 09:51:45 UTC
Created attachment 583538 [details]

patch attached to email
Comment 2 Swamp Workflow Management 2014-03-25 23:00:17 UTC
bugbot adjusting priority
Comment 3 Marcus Meissner 2014-03-27 15:37:57 UTC
public now
Comment 4 Bernhard Wiedemann 2014-03-31 11:24:11 UTC
In SUSE Cloud we always use
driver = keystone.token.backends.sql.Token

so if this really only affects keystone-memcache setups,
we should not be affected.
Comment 7 Bernhard Wiedemann 2014-04-28 07:29:15 UTC
Fix is in master:
Comment 9 Marcus Meissner 2014-07-02 09:21:58 UTC
just mark upstream fixed