Date: Tue, 16 Sep 2014 15:31:47 -0400 From: Tristan Cacqueray <tristan.cacqueray@...vance.com> To: oss-security@...ts.openwall.com Subject: [OSSA 2014-029] Configuration option leak through Keystone catalog (CVE-2014-3621) OpenStack Security Advisory: 2014-029 CVE: CVE-2014-3621 Date: September 16, 2014 Title: Configuration option leak through Keystone catalog Reporter: Brant Knudson (IBM) Products: Keystone Versions: up to 2013.2.3 and 2014.1 versions up to 2014.1.2.1 Description: Brant Knudson from IBM reported a vulnerability in Keystone catalog url replacement. By creating a malicious endpoint a privileged user may reveal configuration options resulting in sensitive information, like master admin_token, being exposed through the service url. All Keystone setups that allow non-admin users to create endpoints are affected. Juno (development branch) fix: https://review.openstack.org/121889 Icehouse fix: https://review.openstack.org/121890 Havana fix: https://review.openstack.org/121891 Notes: This fix will be included in the Juno release 2014.2.0 and in future stable 2013.2.4 and 2014.1.3 releases. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3621 https://launchpad.net/bugs/1354208 -- Tristan Cacqueray OpenStack Vulnerability Management Team [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ