Bug 1039164 (CVE-2013-6391)

Summary: CVE-2013-6391 OpenStack Keystone: trust circumvention through EC2-style tokens
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aortega, apevec, ayoung, chrisw, dallan, gkotton, gmollett, iheim, lhh, markmc, rbryant, sclewis, security-response-team, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-04-09 00:06:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1039166, 1082418    
Bug Blocks: 1039165    
Attachments:
Description Flags
cve-2013-6391-master-icehouse.patch
none
cve-2013-6391-stable-havana.patch none

Description Kurt Seifried 2013-12-06 19:44:10 UTC 
Jeremy Stanley of the OpenStack	Project	reports:

Steven Hardy from Red Hat reported a vulnerability in Keystone
trusts when used in conjunction with the ec2tokens API. By
generating EC2 credentials using a trust-scoped token, a trustee may
retrieve a token not scoped to the trust, therefore elevating
privileges to all of the trustor's roles. Only Keystone setups
enabling EC2-style authentication are affected.
Comment 1 Kurt Seifried 2013-12-06 19:48:54 UTC 
Created attachment 833742 [details]
cve-2013-6391-master-icehouse.patch
Comment 2 Kurt Seifried 2013-12-06 19:49:12 UTC 
Created attachment 833743 [details]
cve-2013-6391-stable-havana.patch
Comment 4 Kurt Seifried 2013-12-06 21:53:53 UTC 
Acknowledgements: 

Red Hat would like to thank Jeremy Stanley of the OpenStack Project for reporting this issue. Upstream acknowledges Steven Hardy of Red Hat as the original reporter.
Comment 5 Kurt Seifried 2013-12-06 21:54:16 UTC 
Proposed public disclosure date/time:
Wednesday, December 11, 2013, 1500UTC
Comment 6 errata-xmlrpc 2014-01-22 18:34:35 UTC 
This issue has been addressed in following products:

  OpenStack 4 for RHEL 6

Via RHSA-2014:0089 https://rhn.redhat.com/errata/RHSA-2014-0089.html
Comment 8 errata-xmlrpc 2014-04-03 20:18:55 UTC 
This issue has been addressed in following products:

  OpenStack 3 for RHEL 6

Via RHSA-2014:0368 https://rhn.redhat.com/errata/RHSA-2014-0368.html
Comment 9 Fedora Update System 2014-04-05 04:54:49 UTC 
openstack-keystone-2013.1.5-2.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.