Bug 1095981 (CVE-2014-0204)

Summary: CVE-2014-0204 openstack-keystone: user and group id mismatch
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abaron, aortega, apevec, apevec, ayoung, bfilippov, chrisw, dallan, d.busby, gkotton, gmollett, itamar, jonathansteffan, jose.castro.leon, lhh, markmc, mmcallis, p, rbryant, rhos-maint, sclewis, security-response-team, vdanen, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-23 06:40:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1101008, 1112079    
Bug Blocks: 1095984    

Description Murray McAllister 2014-05-09 02:38:27 UTC 
The OpenStack project reports:

""
Title: Keystone user and group id mismatch
Reporter: Michael Stancampiano (IBM)
Products: Keystone
Versions: 2014.1

Description:
Michael Stancampiano from IBM reported a vulnerability in Keystone.
Someone with write access to the user and group repository (such as the
LDAP directory server) may willingly or unwillingly grant additional
rights by picking the same IDs for users and groups, resulting in roles
assigned to a group being assigned to the affected user even if he is
not a member of this group. Only Keystone setups using LDAP for the
Identity driver are affected.
""

Acknowledgements:

Red Hat would like to thank the Openstack project for reporting this issue. Upstream acknowledges Michael Stancampiano of IBM as the original reporter.
Comment 4 Alan Pevec 2014-05-21 22:06:43 UTC 
This went public today http://lists.openstack.org/pipermail/openstack-announce/2014-May/000231.html

Please create Fedora clone.
Comment 6 Murray McAllister 2014-05-25 12:18:48 UTC 
Created openstack-keystone tracking bugs for this issue:

Affects: fedora-all [bug 1101008]
Comment 7 Murray McAllister 2014-05-25 12:19:27 UTC 
Note that there is a regression in the original patches: https://review.openstack.org/94397
Comment 9 Garth Mollett 2014-05-28 06:57:34 UTC 
Statement:

Not vulnerable. This issue did not affect the versions of openstack-keystone as shipped with Red Hat Enterprise Linux OpenStack Platform 3 and 4.