Date: Fri, 28 Sep 2012 16:50:25 -0400 From: Russell Bryant <rbryant@...hat.com> To: "openstack@...ts.launchpad.net" <openstack@...ts.launchpad.net>, oss-security@...ts.openwall.com Subject: [OSSA 2012-015] Some actions in Keystone admin API do not validate token (CVE-2012-4456) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 OpenStack Security Advisory: 2012-015 CVE: CVE-2012-4456 Date: September 28, 2012 Title: Some actions in Keystone admin API do not validate token Impact: High Reporter: Jason Xu Products: Keystone Affects: Essex (prior to 2012.1.2), Folsom (prior to folsom-2 development milestone) Description: Jaxon Xu reported a vulnerability in Keystone. Two admin API actions did not require a valid token. The first was listing roles for a user. The second was the ability to get, create, and delete services. Folom Fixes: (Included in 2012.2) http://github.com/openstack/keystone/commit/868054992faa45d6f42d822bf1588cb88d7c9ccb http://github.com/openstack/keystone/commit/1d146f5c32e58a73a677d308370f147a3271c2cb Essex Fixes: (Included in 2012.1.2) http://github.com/openstack/keystone/commit/14b136aed9d988f5a8f3e699bd4577c9b874d6c1 http://github.com/openstack/keystone/commit/24df3adb3f50cbb5ada411bc67aba8a781e6a431 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4456 https://bugs.launchpad.net/keystone/+bug/1006815 https://bugs.launchpad.net/keystone/+bug/1006822 - -- Russell Bryant OpenStack Vulnerability Management Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBmDZAACgkQFg9ft4s9SAYPhACfTBNPMETkhmP8OG4g11VgZi11 yCkAn2sc3GtVKy/m1Xq4fobHW45nyb5X =bkKK -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.