[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] [OSSA 2013-017] Issues in Keystone middleware memcache signing/encryption feature (CV
From:       Thierry Carrez <thierry () openstack ! org>
Date:       2013-06-19 15:40:17
Message-ID: 51C1D0E1.9000704 () openstack ! org
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

OpenStack Security Advisory: 2013-017
CVE: CVE-2013-2166, CVE-2013-2167
Date: June 19, 2013
Title: Issues in Keystone middleware memcache signing/encryption feature
Reporter: Paul McMillan (Nebula)
Products: python-keystoneclient
Affects: version 0.2.3 to 0.2.5

Description:
Paul McMillan from Nebula reported multiple issues in the implementation
of memcache signing/encryption feature in Keystone client middleware. An
attacker with direct write access to the memcache backend (or in a
man-in-the-middle position) could insert malicious data and potentially
bypass the encryption (CVE-2013-2166) or signing (CVE-2013-2167)
security strategy that was specified. Only setups that make use of
memcache caching in the Keystone middleware (specify memcache_servers)
and using ENCRYPT or MAC as their memcache_security_strategy are affected.

python-keystoneclient fix (will be included in upcoming 0.2.6 release):
https://review.openstack.org/#/c/33661

References:
https://bugs.launchpad.net/python-keystoneclient/+bug/1175367
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2166
https://bugs.launchpad.net/python-keystoneclient/+bug/1175368
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2167

- -- 
Thierry Carrez (ttx)
OpenStack Vulnerability Management Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBCAAGBQJRwdDhAAoJEFB6+JAlsQQjfwYP/i3is9VMQXQAo9PvjsNnLkEU
MuvvDhxqu9bmqUFrXwbMfLUy8AM5QGPvWetge5Y7xDci6j4a5vNgw4XmzuP1xKvs
1GZ44pVO+GaqRwb5cuPXo3bcdGcRTVboZSdDTVDb4MIZ8i6sQil6BG+XUQgaPHQb
4MMDbLqFJCQjKSEO6hDFyXwDTb4BwGh+UtjiX4itChplg9Ac4YvVjz0Wpb9oH0L0
CcFoSBw+zmSGkQFM0+jtb0P3lwpRwcVlcsxmh+veInXToaAD38lIjZ9qecIdsz5J
XdFZXnRd1pvWZUPa9IcmVG8uBfTsY6T59eygCX82RvrRwSf7+uV+medxycRscMlL
TFLktHVsAk+jsx8xBHPi3MZxobkCTql/CnXOpvAV/7+xWVIeoS9K30z1qyNEyKc5
4t0m9Zn1VtT5ohGvdomc0E0inJfz28DXZ/7wfVneOeK0kPGsn6SzQ4UWRcbo7XH7
PSjBeFBZ1C3MhRfrMiiOwtwhuoUctDqEZM2Jfb2LA4YZDXJ5P48v/3hzhtnIW76t
9vVTGf7RR+oG/wmyf/0CKRF3HouIFv+uNbxrjxFKi8jGc2d+aCg3a1d3nekYSCt+
qecqdiJEm3xlCLuhBxYoWWj3eCQIqAS24RRJzy9gr+AfeDcNtEUBTkFN7LOGu62O
uI+3q+8vLH/GuhV7gPnS
=a3MM
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic