Bug 1082165 (CVE-2014-0105)

Summary: CVE-2014-0105 python-keystoneclient: Potential context confusion in Keystone middleware
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aavati, abaron, aortega, apevec, apevec, ayoung, chrisw, dallan, gkotton, gmollett, Jan.van.Eldik, jose.castro.leon, jruzicka, lhh, markmc, nlevinki, rbryant, rfortier, rhos-maint, rhs-bugs, sclewis, ssaha, vagarwal, vbellur, vdanen, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: python-keystone-client 0.7.0 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-05-09 21:19:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1082172, 1082173, 1083754, 1083755, 1087172, 1087181    
Bug Blocks: 1082166    

Description Vincent Danen 2014-03-28 21:11:47 UTC 
Kieran Spear from the University of Melbourne reported [1] a vulnerability
in Keystone auth_token middleware (shipped in python-keystoneclient). By
doing repeated requests, with sufficient load on the target system, an
authenticated user may in certain situations assume another
authenticated user's complete identity and multi-tenant authorizations,
potentially resulting in a privilege escalation. Note that it is related
to a bad interaction between eventlet and python-memcached that should
be avoided if the calling process already monkey-patches "thread" to use
eventlet. Only keystone middleware setups using auth_token with memcache
are vulnerable.

python-keystoneclient fix (included in 0.7.0 release): https://review.openstack.org/81078

[1] https://bugs.launchpad.net/bugs/1282865


Acknowledgements:

Red Hat would like to thank the OpenStack project for reporting this issue. Upstream acknowledges Kieran Spear from the University of Melbourne as the original reporter.
Comment 1 Vincent Danen 2014-03-28 21:51:08 UTC 
Created python-keystoneclient tracking bugs for this issue:

Affects: fedora-all [bug 1082172]
Affects: epel-6 [bug 1082173]
Comment 5 errata-xmlrpc 2014-04-09 17:31:01 UTC 
This issue has been addressed in following products:

  OpenStack 4 for RHEL 6

Via RHSA-2014:0382 https://rhn.redhat.com/errata/RHSA-2014-0382.html
Comment 9 errata-xmlrpc 2014-04-17 01:42:01 UTC 
This issue has been addressed in following products:

  Red Hat Storage 2.1

Via RHSA-2014:0409 https://rhn.redhat.com/errata/RHSA-2014-0409.html
Comment 10 errata-xmlrpc 2014-04-28 20:06:31 UTC 
This issue has been addressed in following products:

  OpenStack 3 for RHEL 6

Via RHSA-2014:0442 https://rhn.redhat.com/errata/RHSA-2014-0442.html