Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 28 Sep 2012 16:50:25 -0400
From: Russell Bryant <rbryant@...hat.com>
To: "openstack@...ts.launchpad.net" <openstack@...ts.launchpad.net>,
        oss-security@...ts.openwall.com
Subject: [OSSA 2012-015] Some actions in Keystone admin API do not validate
 token (CVE-2012-4456)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

OpenStack Security Advisory: 2012-015
CVE: CVE-2012-4456
Date: September 28, 2012
Title: Some actions in Keystone admin API do not validate token
Impact: High
Reporter: Jason Xu
Products: Keystone
Affects: Essex (prior to 2012.1.2), Folsom (prior to folsom-2
development milestone)

Description:
Jaxon Xu reported a vulnerability in Keystone. Two admin API actions
did not require a valid token.  The first was listing roles for a
user.  The second was the ability to get, create, and delete services.

Folom Fixes: (Included in 2012.2)
http://github.com/openstack/keystone/commit/868054992faa45d6f42d822bf1588cb88d7c9ccb
http://github.com/openstack/keystone/commit/1d146f5c32e58a73a677d308370f147a3271c2cb

Essex Fixes: (Included in 2012.1.2)
http://github.com/openstack/keystone/commit/14b136aed9d988f5a8f3e699bd4577c9b874d6c1
http://github.com/openstack/keystone/commit/24df3adb3f50cbb5ada411bc67aba8a781e6a431

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4456
https://bugs.launchpad.net/keystone/+bug/1006815
https://bugs.launchpad.net/keystone/+bug/1006822

- -- 
Russell Bryant
OpenStack Vulnerability Management Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBmDZAACgkQFg9ft4s9SAYPhACfTBNPMETkhmP8OG4g11VgZi11
yCkAn2sc3GtVKy/m1Xq4fobHW45nyb5X
=bkKK
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.