[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 10 Aug 2021 14:54:41 +0000
From: Jeremy Stanley <fungi@...goth.org>
To: oss-security@...ts.openwall.com
Subject: [OSSA-2021-003] Keystone: Account name and UUID oracles in account
locking (CVE-2021-38155)
===============================================================
OSSA-2021-003: Account name and UUID oracles in account locking
===============================================================
:Date: August 10, 2021
:CVE: CVE-2021-38155
Affects
~~~~~~~
- Keystone: >=10.0.0 <16.0.2, >=17.0.0 <17.0.1, >=18.0.0 <18.0.1, >=19.0.0 <19.0.1
Description
~~~~~~~~~~~
Samuel de Medeiros Queiroz with Oi Cloud reported a vulnerability
affecting Keystone account locking. By guessing the name of an
account and failing to authenticate multiple times, any
unauthenticated actor could both confirm the account exists and
obtain that account's corresponding UUID, which might be leveraged
for other unrelated attacks. All Keystone deployments enabling
security_compliance.lockout_failure_attempts are affected.
Patches
~~~~~~~
- https://review.opendev.org/790444 (Train)
- https://review.opendev.org/790443 (Ussuri)
- https://review.opendev.org/790442 (Victoria)
- https://review.opendev.org/790440 (Wallaby)
- https://review.opendev.org/759940 (Xena)
Credits
~~~~~~~
- Samuel de Medeiros Queiroz from Oi Cloud (CVE-2021-38155)
References
~~~~~~~~~~
- https://launchpad.net/bugs/1688137
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38155
--
Jeremy Stanley
Download attachment "signature.asc" of type "application/pgp-signature" (964 bytes)
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
