Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 16 Sep 2014 15:31:47 -0400
From: Tristan Cacqueray <tristan.cacqueray@...vance.com>
To: oss-security@...ts.openwall.com
Subject: [OSSA 2014-029] Configuration option leak through Keystone catalog
 (CVE-2014-3621)

OpenStack Security Advisory: 2014-029
CVE: CVE-2014-3621
Date: September 16, 2014

Title: Configuration option leak through Keystone catalog
Reporter: Brant Knudson (IBM)
Products: Keystone
Versions: up to 2013.2.3 and 2014.1 versions up to 2014.1.2.1

Description:
Brant Knudson from IBM reported a vulnerability in Keystone catalog url
replacement. By creating a malicious endpoint a privileged user may
reveal configuration options resulting in sensitive information, like
master admin_token, being exposed through the service url. All Keystone
setups that allow non-admin users to create endpoints are affected.

Juno (development branch) fix:
https://review.openstack.org/121889

Icehouse fix:
https://review.openstack.org/121890

Havana fix:
https://review.openstack.org/121891

Notes:
This fix will be included in the Juno release 2014.2.0 and in future
stable 2013.2.4 and 2014.1.3 releases.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3621
https://launchpad.net/bugs/1354208

-- 
Tristan Cacqueray
OpenStack Vulnerability Management Team


[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ