'[oss-security] [OSSA 2013-028] Unintentional role granting with Keystone LDAP backend (CVE-2013-4477'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] [OSSA 2013-028] Unintentional role granting with Keystone LDAP backend (CVE-2013-4477
From:       Thierry Carrez <thierry () openstack ! org>
Date:       2013-10-30 16:36:28
Message-ID: 5271358C.1010508 () openstack ! org
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

OpenStack Security Advisory: 2013-028
CVE: CVE-2013-4477
Date: October 30, 2013
Title: Unintentional role granting with Keystone LDAP backend
Reporter: The IBM OpenStack test team
Products: Keystone
Affects: All supported versions

Description:
The IBM OpenStack test team reported a vulnerability in role change
code within the Keystone LDAP backend. When a role on a tenant is
removed from a user, and that user doesn't have that role on the
tenant, then the user may actually be granted the role on the tenant.
A user could use social engineering and leverage that vulnerability to
get extra roles granted, or may accidentally be granted extra roles.
Only Keystone setups using a LDAP backend are affected.

Icehouse (development branch) fix:
https://review.openstack.org/53012

Havana fix:
https://review.openstack.org/53146

Grizzly fix:
https://review.openstack.org/53154

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4477
https://bugs.launchpad.net/keystone/+bug/1242855

Regards,

- -- 
Thierry Carrez
OpenStack Vulnerability Management Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJScTWMAAoJEFB6+JAlsQQjPuIQAIEYi9MIqI9nIN5vQlj9MLlB
nW9CUjvhHCq6B9k9njqeiXyo9Nl+AQIiNQpULE1li48SWlicGJtary2PAzYasHKv
jiPZyU5+I5V6FsK42EcnazymK9Nsd5Xow0l9TIaQ2OL7ee0BQkgqiGaFVGU26yWy
Zfjl1+ebWjP+SB0lpvYL0lDx5fNEhPL5G8iONOet1tT+vTIXYsWiYq6VS7/wTSdq
WkY/6X7JLPPRmzwrJQvLBjQdTxUAQUmKew6NoOS0mSjX5MZjTsmHR+DaPUqFAVwF
jK7QFxTfYd11ZQEWPPNJ8gA1/MvFW+y1zSKYphQNAMns4Ez6hoFzBsLnA0IWHUra
OgwrqTKblHp9W7MPY3Kc8c+f7Mb1qJrzLtvoI2Vm8srhIv/ZfWrMEvtPFfQ9F9K+
H1vf16woxD4E0yCspIcJBG1f3fKTZ9YAEjepjI9L0NGFPuJ2K79dwb8jHopn4Z67
sQXCQMD1fFOZ6z/yHG22AKLWxbICWRFTgEz6VRULgLoniq4FN40bhuA8C2eu0rte
qpx6s63BQgPg5tEY24qr5W70lPdKVn4KTIDlyiLGUUa3zHfI5yCIRjEbs0x9FtTv
AIlLoTPXkUhy9eshJdeNCOapSqaXF49WcllBzDMswosxqM2RbbP6dgzSTFO7qoZS
hp/4MizCO99lqP7mU6FJ
=kxqa
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic