Bug 1139937 (CVE-2014-3621)

Summary: CVE-2014-3621 openstack-keystone: configuration data information leak through Keystone catalog
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abaron, aortega, apevec, ayoung, chrisw, dallan, gkotton, gmollett, lhh, lpeer, markmc, nkinder, rbryant, sclewis, security-response-team, vdanen, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,public=20140916,reported=20140908,source=upstream,cvss2=3.6/AV:N/AC:H/Au:S/C:P/I:P/A:N,cwe=CWE-200,openstack-4/openstack-keystone=affected,openstack-5/openstack-keystone=affected,openstack-rdo/openstack-keystone=affected,fedora-all/openstack-keystone=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
A flaw was found in the keystone catalog URL replacement. A user with permissions to register an endpoint could use this flaw to leak configuration data, including the master admin_token. Only keystone setups that allow non-cloud-admin users to create endpoints were affected by this issue.
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-11-03 12:17:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1142547, 1142118, 1142119, 1142120, 1142546    
Bug Blocks: 1139952, 1150355    
Attachments:
Description Flags
patch from upstream for master
none
patch from upstream for havana
none
patch from upstream for icehouse none

Description Murray McAllister 2014-09-10 04:01:52 UTC
The OpenStack project reports:

""
Title: Configuration option leak through Keystone catalog
Reporter: Brant Knudson (IBM)
Products: Keystone
Versions: up to 2013.2.3 and 2014.1 versions up to 2014.1.2.1

Description:
Brant Knudson from IBM reported a vulnerability in Keystone catalog URL
replacement. By creating a malicious endpoint a privileged user may
reveal configuration options resulting in sensitive information, like
master admin_token, being exposed through the service url. All Keystone
setups that allow non-admin users to create endpoints are affected.
""

Acknowledgements:

Red Hat would like to thank the OpenStack project for reporting this issue. Upstream acknowledges Brant Knudson from IBM as the original reporter.

Comment 2 Murray McAllister 2014-09-10 04:03:22 UTC
Created attachment 935976 [details]
patch from upstream for master

Comment 3 Murray McAllister 2014-09-10 04:04:16 UTC
Created attachment 935978 [details]
patch from upstream for havana

Comment 4 Murray McAllister 2014-09-10 04:05:29 UTC
Created attachment 935980 [details]
patch from upstream for icehouse

Comment 7 Murray McAllister 2014-09-17 03:01:24 UTC
This issue is public now:

http://www.openwall.com/lists/oss-security/2014/09/16/10

Comment 8 Murray McAllister 2014-09-17 03:02:06 UTC
Created openstack-keystone tracking bugs for this issue:

Affects: fedora-all [bug 1142546]

Comment 10 Martin Prpič 2014-10-20 12:09:50 UTC
IssueDescription:

A flaw was found in the keystone catalog URL replacement. A user with permissions to register an endpoint could use this flaw to leak configuration data, including the master admin_token. Only keystone setups that allow non-cloud-admin users to create endpoints were affected by this issue.

Comment 11 errata-xmlrpc 2014-10-22 17:22:39 UTC
This issue has been addressed in the following products:

  OpenStack 4 for RHEL 6

Via RHSA-2014:1688 https://rhn.redhat.com/errata/RHSA-2014-1688.html

Comment 12 errata-xmlrpc 2014-11-03 08:47:41 UTC
This issue has been addressed in the following products:

  OpenStack 5 for RHEL 7

Via RHSA-2014:1790 https://rhn.redhat.com/errata/RHSA-2014-1790.html

Comment 13 errata-xmlrpc 2014-11-03 08:47:57 UTC
This issue has been addressed in the following products:

  OpenStack 5 for RHEL 6

Via RHSA-2014:1789 https://rhn.redhat.com/errata/RHSA-2014-1789.html