Bug 1781470 (CVE-2019-19687)

Summary: CVE-2019-19687 openstack-keystone: Credentials API allows non-admin to list and retrieve all users credentials
Product: [Other] Security Response Reporter: Summer Long <slong>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: acanan, aileenc, ayoung, chazlett, dbecker, drieden, ggaughan, janstey, jjoyce, jschluet, jwon, kbasil, lhh, lpeer, mburns, nkinder, sclewis, slinaber, srevivo
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: keystone 16.0.0-5, keystone 15.0.0-18 Doc Type: If docs needed, set a value
Doc Text:
A disclosure vulnerability was found in openstack-keystone's credentials API. Users with a project role are able to list any credentials with the /v3/credentials API when enforce_scope is false. Information for time-based one time passwords (TOTP) may also be disclosed. Deployments running keystone with enforce_scope set to false are also affected. There will be a slight performance impact for the list credentials API once this issue is fixed.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-12-19 20:09:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1782632, 1782633, 1782634    
Bug Blocks: 1781461    

Description Summer Long 2019-12-10 05:22:58 UTC 
A vulnerability was found in Keystone's list credentials API. Any user with a role on a project is able to list any credentials with the /v3/credentials API when enforce_scope is false. Users with a role on a project are able to view any other users' credentials, which could leak sign-on information for Time-based One Time Passwords (TOTP) or othewise. Deployments running keystone with enforce_scope set to false are affected. There will be a slight performance impact for the list credentials API once this issue is fixed.
Affects: ==15.0.0, ==16.0.0
Comment 2 Summer Long 2019-12-10 05:25:48 UTC 
Upstream patches:
master: https://git.openstack.org/cgit/openstack/keystone/commit/?id=17c337dbdbfb9d548ad531c2ad0483c9bce5b98f
train: https://git.openstack.org/cgit/openstack/keystone/commit/?id=bd3f63787151183f4daa43578aa491856fefae5b
stein: https://git.openstack.org/cgit/openstack/keystone/commit/?id=17947516b0095c51da5cff94771247f2e7c44ee6
Comment 4 Summer Long 2019-12-12 01:03:46 UTC 
Upstream issue: https://bugs.launchpad.net/ossa/+bug/1855080
Comment 5 Summer Long 2019-12-12 01:04:55 UTC 
External References:

https://security.openstack.org/ossa/OSSA-2019-006.html
https://seclists.org/oss-sec/2019/q4/152
Comment 6 Summer Long 2019-12-12 01:06:36 UTC 
Created openstack-keystone tracking bugs for this issue:

Affects: openstack-rdo [bug 1782632]
Comment 8 Summer Long 2019-12-12 01:47:17 UTC 
Mitigation:

To mitigate this issue, set the [oslo_policy] enforce_scope option to 'true' in the keystone.conf file.
Comment 10 Summer Long 2019-12-17 23:18:25 UTC 
Hi Eric, 'a project role' would be more precise, I think. thx! s
Comment 11 errata-xmlrpc 2019-12-19 19:26:48 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 15.0 (Stein)

Via RHSA-2019:4358 https://access.redhat.com/errata/RHSA-2019:4358
Comment 12 Product Security DevOps Team 2019-12-19 20:09:39 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-19687