Bug 1962908 (CVE-2021-3563)

Summary: CVE-2021-3563 Keystone: Verification of application credentials is silently length-limited
Product: [Other] Security Response Reporter: Nick Tait <ntait>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dmendiza, dwilde, eglynn, jan.fedora, jjoyce, jschluet, lbragsta, lhh, lpeer, mburns, mgarciac, oblaut, sclewis, slinaber, spower, tuxmealux+redhatbz
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in openstack-keystone. Only the first 72 characters of an application secret are verified allowing attackers bypass some password complexity which administrators may be counting on. The highest threat from this vulnerability is to data confidentiality and integrity.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1964525, 1964527, 1964529, 2070962, 2154112    
Bug Blocks: 1922882, 1963091    

Description Nick Tait 2021-05-20 18:41:05 UTC 
Keystone only verifies part of the secret - the first 72 characters. Additional complexity is ignored, giving users an inflated sense of security. Default length of a secret seems to be 86 characters. While brute forcing at this scale is out of reach for many attackers, state of the art is constantly evolving and we need to support OpenStack for many years to come.
Comment 4 Jan Zerebecki 2021-06-09 13:43:11 UTC 
Upstream report is https://bugs.launchpad.net/keystone/+bug/1901891