The following flaw in Openstack Grizzly and Havana was reported [1],[2]: The IBM OpenStack test team reported a vulnerability in role change code within the Keystone LDAP backend. When a role on a tenant is removed from a user, and that user doesn't have that role on the tenant, then the user may actually be granted the role on the tenant. A user could use social engineering and leverage that vulnerability to get extra roles granted, or may accidentally be granted extra roles. Only Keystone setups using a LDAP backend are affected. A CVE has been requested. [1] https://bugs.launchpad.net/keystone/+bug/1242855 [2] http://seclists.org/oss-sec/2013/q4/186
The Grizzly fix is here: https://github.com/openstack/keystone/commit/82dcde08f60c45002955875664a3cf82d1d211bc The Havana fix is here: https://github.com/openstack/keystone/commit/4221b6020e6b0b42325d8904d7b8a22577a6acc0 The upstream bug report contains fairly detailed reproduction instructions as well. Note that this requires administrator privileges.
Upstream fix information: Reviewed: https://review.openstack.org/53010 Committed: http://github.com/openstack/keystone/commit/b17e7bec768bd53d3977352486378698a3db3cfa Submitter: Jenkins Branch: master commit b17e7bec768bd53d3977352486378698a3db3cfa Author: Brant Knudson <bknudson.com> Date: Mon Oct 21 15:21:12 2013 -0500 Enhance tests for deleting a role not assigned There wasn't a test that showed what happens when a role is deleted that was never assigned. Change-Id: I2845e3f03dc8e8f1dd41d8f41d2f6669004bc506 Related-bug: #1242855 Reviewed: https://review.openstack.org/53012 Committed: http://github.com/openstack/keystone/commit/c6800ca1ac984c879e75826df6694d6199444ea0 Submitter: Jenkins Branch: master commit c6800ca1ac984c879e75826df6694d6199444ea0 Author: Brant Knudson <bknudson.com> Date: Mon Oct 21 15:31:23 2013 -0500 Fix remove role assignment adds role using LDAP assignment When using the LDAP assignment backend, attempting to remove a role assignment when the role hadn't been used before would actually add the role assignment and would not return a 404 Not Found like the SQL backend. This change makes it so that when attempt to remove a role that wasn't assigned then 404 Not Found is returned. Closes-Bug: #1242855 Change-Id: I28ccd26cc4bb1a241d0363d0ab52d2c11410e8b3
Created openstack-keystone tracking bugs for this issue: Affects: fedora-all [bug 1024441] Affects: epel-6 [bug 1024442]
Created attachment 817139 [details] CVE-2013-4477-grizzly.patch
Created attachment 817140 [details] CVE-2013-4477-havana.patch
Created attachment 817141 [details] CVE-2013-4477-icehouse.patch
openstack-keystone-2013.1.4-2.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
openstack-keystone-2013.2.1-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: OpenStack 3 for RHEL 6 Via RHSA-2014:0113 https://rhn.redhat.com/errata/RHSA-2014-0113.html