Date: Wed, 21 May 2014 15:57:15 -0400 From: Tristan Cacqueray <tristan.cacqueray@...vance.com> To: oss-security@...ts.openwall.com Subject: [OSSA 2014-015] Keystone user and group id mismatch (CVE-2014-0204) OpenStack Security Advisory: 2014-015 CVE: CVE-2014-0204 Date: May 21, 2014 Title: Keystone user and group id mismatch Reporter: Michael Stancampiano (IBM) Products: Keystone Versions: 2014.1 Description: Michael Stancampiano from IBM reported a vulnerability in Keystone. Someone with write access to the user and group repository (such as the LDAP directory server) may willingly or unwillingly grant additional rights by picking the same IDs for users and groups, resulting in roles assigned to a group being assigned to the affected user even if he is not a member of this group. Only Keystone setups using LDAP for the Identity driver are affected. Juno (development branch) fixes: https://review.openstack.org/94396 https://review.openstack.org/94470 Icehouse fix: https://review.openstack.org/94397 Notes: This fix will be included in the juno-1 development milestone and in a future 2014.1.1 release. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0204 https://launchpad.net/bugs/1309228 -- Tristan Cacqueray OpenStack Vulnerability Management Team Download attachment "signature.asc" of type "application/pgp-signature" (556 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.