Bug 861179 (CVE-2012-4456)

Summary: CVE-2012-4456 Openstack Keystone 2012.1.1: fails to validate tokens in Admin API
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: apevec, apevec, bfilippov, breu, d.busby, Jan.van.Eldik, jonathansteffan, jose.castro.leon, jrusnack, markmc, p, rbryant, rcvalle
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20120531,reported=20120926,source=upstream,cvss2=7.5/AV:N/AC:L/Au:N/C:P/I:P/A:P,openstack-1/openstack-keystone=affected,fedora-all/openstack-keystone=affected,epel-6/openstack-keystone=affected,cwe=CWE-304
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-10-16 14:16:25 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 861182, 861183, 861185    
Bug Blocks: 852512    
Description Flags
CVE-2012-4456-keystone-1006822.patch none

Description Kurt Seifried 2012-09-27 14:07:27 EDT
Jason Xu (yinyangxu@gmail.com) discovered several vulnerabilities in OpenStack 
Keystone token verification:

The first occurs in the API /v2.0/OS-KSADM/services and 
/v2.0/OS-KSADM/services/{service_id}, the second occurs in 

In both cases the OpenStack Keystone code fails to check if the tokens are 
valid. These issues have been addressed by adding checks in the form of 
test_service_crud_requires_auth() and test_user_role_list_requires_auth().

External references:
Comment 1 Kurt Seifried 2012-09-27 14:19:06 EDT
Created openstack-keystone tracking bugs for this issue

Affects: fedora-all [bug 861182]
Comment 2 Kurt Seifried 2012-09-27 14:21:05 EDT
Created openstack-keystone tracking bugs for this issue

Affects: epel-6 [bug 861183]
Comment 4 Kurt Seifried 2012-09-27 15:20:58 EDT
Created attachment 618256 [details]
Comment 5 Kurt Seifried 2012-09-27 15:21:16 EDT
Created attachment 618257 [details]
Comment 6 Kurt Seifried 2012-09-29 09:59:28 EDT
Official vendor advisory:
Comment 7 errata-xmlrpc 2012-10-16 13:26:01 EDT
This issue has been addressed in following products:

  OpenStack Essex for RHEL 6

Via RHSA-2012:1378 https://rhn.redhat.com/errata/RHSA-2012-1378.html