Bug 873447 (CVE-2012-5483)
Summary: | CVE-2012-5483 OpenStack: Keystone /etc/keystone/ec2rc secret key exposure | ||||||
---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Kurt Seifried <kseifried> | ||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
Status: | CLOSED ERRATA | QA Contact: | |||||
Severity: | low | Docs Contact: | |||||
Priority: | low | ||||||
Version: | unspecified | CC: | apevec, cpelland, markmc, pbrady, security-response-team | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2012-12-11 07:57:40 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 873449, 873529, 876287, 1102466 | ||||||
Bug Blocks: | 836072, 873487 | ||||||
Attachments: |
|
Description
Kurt Seifried
2012-11-05 21:30:42 UTC
/etc/keystone/ec2rc is not included in openstack-keystone RPM, it's produced by sample_data.sh script https://github.com/openstack/keystone/blob/master/tools/sample_data.sh#L259 We'll patch that part out, neither sample script nor ec2rc file is documented in our guide: https://access.redhat.com/knowledge/docs/en-US/Red_Hat_OpenStack_Preview/1/html/Getting_Started_Guide/index.html Created attachment 641626 [details]
Proposed patch
> Also please note that the /etc/keystone/ directory should probably not be world
readable at all.
Instead of proposed patch, we cloud just fix that in spec:
-%dir %{_sysconfdir}/keystone
+%dir %attr{0750, root, keystone} %{_sysconfdir}/keystone
Created openstack-keystone tracking bugs for this issue Affects: epel-6 [bug 876287] python-keystoneclient-0.1.3.27-1.el6, python-glanceclient-0.5.1-1.el6, python-websockify-0.2.0-1.el6, novnc-0.4-2.el6, python-prettytable-0.6.1-1.el6, openstack-quantum-2012.2-2.el6, python-quantumclient-2.1.1-0.el6, python-cinderclient-0.2.26-1.el6, python-novaclient-2.9.0-1.el6, python-django-openstack-auth-1.0.2-3.el6, openstack-nova-2012.2-2.el6, openstack-cinder-2012.2-3.el6, openstack-utils-2012.2-6.el6, openstack-glance-2012.2-3.el6, python-django-horizon-2012.2-4.el6, openstack-keystone-2012.2-5.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report. Acknowledgements: This issue was discovered by Kurt Seifried of the Red Hat Security Response Team. This issue has been addressed in following products: OpenStack Essex for RHEL 6 Via RHSA-2012:1556 https://rhn.redhat.com/errata/RHSA-2012-1556.html openstack-keystone-2012.1.3-3.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. |