Bug 1039164 (CVE-2013-6391)

Summary: CVE-2013-6391 OpenStack Keystone: trust circumvention through EC2-style tokens
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aortega, apevec, ayoung, chrisw, dallan, gkotton, gmollett, iheim, lhh, markmc, rbryant, sclewis, security-response-team, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20131211,reported=20131206,source=redhat,cvss2=4.0/AV:N/AC:L/Au:S/C:N/I:P/A:N,fedora-all/openstack-keystone=affected,epel-6/openstack-keystone=affected,openstack-3/openstack-keystone=affected,openstack-4/openstack-keystone=affected,openstack-rdo/openstack-keystone=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-04-08 20:06:15 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1039166, 1082418    
Bug Blocks: 1039165    
Description Flags
cve-2013-6391-stable-havana.patch none

Description Kurt Seifried 2013-12-06 14:44:10 EST
Jeremy Stanley of the OpenStack	Project	reports:

Steven Hardy from Red Hat reported a vulnerability in Keystone
trusts when used in conjunction with the ec2tokens API. By
generating EC2 credentials using a trust-scoped token, a trustee may
retrieve a token not scoped to the trust, therefore elevating
privileges to all of the trustor's roles. Only Keystone setups
enabling EC2-style authentication are affected.
Comment 1 Kurt Seifried 2013-12-06 14:48:54 EST
Created attachment 833742 [details]
Comment 2 Kurt Seifried 2013-12-06 14:49:12 EST
Created attachment 833743 [details]
Comment 4 Kurt Seifried 2013-12-06 16:53:53 EST

Red Hat would like to thank Jeremy Stanley of the OpenStack Project for reporting this issue. Upstream acknowledges Steven Hardy of Red Hat as the original reporter.
Comment 5 Kurt Seifried 2013-12-06 16:54:16 EST
Proposed public disclosure date/time:
Wednesday, December 11, 2013, 1500UTC
Comment 6 errata-xmlrpc 2014-01-22 13:34:35 EST
This issue has been addressed in following products:

  OpenStack 4 for RHEL 6

Via RHSA-2014:0089 https://rhn.redhat.com/errata/RHSA-2014-0089.html
Comment 8 errata-xmlrpc 2014-04-03 16:18:55 EDT
This issue has been addressed in following products:

  OpenStack 3 for RHEL 6

Via RHSA-2014:0368 https://rhn.redhat.com/errata/RHSA-2014-0368.html
Comment 9 Fedora Update System 2014-04-05 00:54:49 EDT
openstack-keystone-2013.1.5-2.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.