Bug 1139937 (CVE-2014-3621)
Summary: | CVE-2014-3621 openstack-keystone: configuration data information leak through Keystone catalog | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Murray McAllister <mmcallis> | ||||||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||||
Status: | CLOSED ERRATA | QA Contact: | |||||||||
Severity: | high | Docs Contact: | |||||||||
Priority: | high | ||||||||||
Version: | unspecified | CC: | abaron, aortega, apevec, ayoung, chrisw, dallan, gkotton, gmollett, lhh, lpeer, markmc, nkinder, rbryant, sclewis, security-response-team, vdanen, yeylon | ||||||||
Target Milestone: | --- | Keywords: | Security | ||||||||
Target Release: | --- | ||||||||||
Hardware: | All | ||||||||||
OS: | Linux | ||||||||||
Whiteboard: | |||||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||||
Doc Text: |
A flaw was found in the keystone catalog URL replacement. A user with permissions to register an endpoint could use this flaw to leak configuration data, including the master admin_token. Only keystone setups that allow non-cloud-admin users to create endpoints were affected by this issue.
|
Story Points: | --- | ||||||||
Clone Of: | Environment: | ||||||||||
Last Closed: | 2014-11-03 12:17:44 UTC | Type: | --- | ||||||||
Regression: | --- | Mount Type: | --- | ||||||||
Documentation: | --- | CRM: | |||||||||
Verified Versions: | Category: | --- | |||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||
Embargoed: | |||||||||||
Bug Depends On: | 1142118, 1142119, 1142120, 1142546, 1142547 | ||||||||||
Bug Blocks: | 1139952, 1150355 | ||||||||||
Attachments: |
|
Description
Murray McAllister
2014-09-10 04:01:52 UTC
Created attachment 935976 [details]
patch from upstream for master
Created attachment 935978 [details]
patch from upstream for havana
Created attachment 935980 [details]
patch from upstream for icehouse
This issue is public now: http://www.openwall.com/lists/oss-security/2014/09/16/10 Created openstack-keystone tracking bugs for this issue: Affects: fedora-all [bug 1142546] IssueDescription: A flaw was found in the keystone catalog URL replacement. A user with permissions to register an endpoint could use this flaw to leak configuration data, including the master admin_token. Only keystone setups that allow non-cloud-admin users to create endpoints were affected by this issue. This issue has been addressed in the following products: OpenStack 4 for RHEL 6 Via RHSA-2014:1688 https://rhn.redhat.com/errata/RHSA-2014-1688.html This issue has been addressed in the following products: OpenStack 5 for RHEL 7 Via RHSA-2014:1790 https://rhn.redhat.com/errata/RHSA-2014-1790.html This issue has been addressed in the following products: OpenStack 5 for RHEL 6 Via RHSA-2014:1789 https://rhn.redhat.com/errata/RHSA-2014-1789.html |