Bug 870102 – VUL-0: CVE-2014-0105: python-keystoneclient: Potential context confusion in Keystone middleware

Bug 870102 - (CVE-2014-0105) VUL-0: CVE-2014-0105: python-keystoneclient: Potential context confusion in Keystone middleware

(CVE-2014-0105)
Summary:	VUL-0: CVE-2014-0105: python-keystoneclient: Potential context confusion in K...

Status:	RESOLVED UPSTREAM

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Nanuk Krinner
QA Contact:	Security Team bot

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2014-03-25 09:51 UTC by Marcus Meissner
Modified:	2014-07-02 09:21 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
cve-2014-0105-master-0.7.0.patch (6.67 KB, patch) 2014-03-25 09:51 UTC, Marcus Meissner	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2014-03-25 09:51:22 UTC

EMBARGOED until 2014-03-27 15:00 UTC

from openstack, via distros, 

This is an advance warning of a vulnerability discovered in OpenStack,
to give you, as downstream stakeholders, a chance to coordinate the
release of fixes and reduce the vulnerability window. Please treat the
following information as confidential until the proposed public
disclosure date.

Title: Potential context confusion in Keystone middleware
Reporter: Kieran Spear (University of Melbourne)
Products: python-keystoneclient
Versions: All versions up to 0.6.0

Description:
Kieran Spear from the University of Melbourne reported a vulnerability
in Keystone auth_token middleware (shipped in python-keystoneclient). By
doing repeated requests, with sufficient load on the target system, an
authenticated user may in certain situations assume another
authenticated user's complete identity and multi-tenant authorizations,
potentially resulting in a privilege escalation. Note that it is related
to a bad interaction between eventlet and python-memcached that should
be avoided if the calling process already monkey-patches "thread" to use
eventlet. Only keystone middleware setups using auth_token with memcache
are vulnerable.

Proposed patch:
See attached patch. This patch has already been merged to the master
branch of python-keystoneclient and will be included in the 0.7.0 release.

CVE: CVE-2014-0105

Proposed public disclosure date/time:
2014-03-27 15:00 UTC
Please do not make the issue public (or release public patches) before
this coordinated embargo date.

Regards,

-- 
Tristan Cacqueray
OpenStack Vulnerability Management Team

Comment 1 Marcus Meissner 2014-03-25 09:51:45 UTC

Created attachment 583538 [details]
cve-2014-0105-master-0.7.0.patch

patch attached to email

Comment 2 Swamp Workflow Management 2014-03-25 23:00:17 UTC

bugbot adjusting priority

Comment 3 Marcus Meissner 2014-03-27 15:37:57 UTC

public now

Comment 4 Bernhard Wiedemann 2014-03-31 11:24:11 UTC

In SUSE Cloud we always use
driver = keystone.token.backends.sql.Token

so if this really only affects keystone-memcache setups,
we should not be affected.

Comment 7 Bernhard Wiedemann 2014-04-28 07:29:15 UTC

Fix is in master:
https://review.openstack.org/#q,Iffb1d1bff5dc4437544a5aefef3bca0e5b17cc81,n,z

Comment 9 Marcus Meissner 2014-07-02 09:21:58 UTC

just mark upstream fixed