Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 16 Sep 2014 15:31:47 -0400
From: Tristan Cacqueray <tristan.cacqueray@...vance.com>
To: oss-security@...ts.openwall.com
Subject: [OSSA 2014-029] Configuration option leak through Keystone catalog
 (CVE-2014-3621)

OpenStack Security Advisory: 2014-029
CVE: CVE-2014-3621
Date: September 16, 2014

Title: Configuration option leak through Keystone catalog
Reporter: Brant Knudson (IBM)
Products: Keystone
Versions: up to 2013.2.3 and 2014.1 versions up to 2014.1.2.1

Description:
Brant Knudson from IBM reported a vulnerability in Keystone catalog url
replacement. By creating a malicious endpoint a privileged user may
reveal configuration options resulting in sensitive information, like
master admin_token, being exposed through the service url. All Keystone
setups that allow non-admin users to create endpoints are affected.

Juno (development branch) fix:
https://review.openstack.org/121889

Icehouse fix:
https://review.openstack.org/121890

Havana fix:
https://review.openstack.org/121891

Notes:
This fix will be included in the Juno release 2014.2.0 and in future
stable 2013.2.4 and 2014.1.3 releases.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3621
https://launchpad.net/bugs/1354208

-- 
Tristan Cacqueray
OpenStack Vulnerability Management Team


Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.