Jeremy Stanley of the OpenStack Project reports: Steven Hardy from Red Hat reported a vulnerability in Keystone trusts when used in conjunction with the ec2tokens API. By generating EC2 credentials using a trust-scoped token, a trustee may retrieve a token not scoped to the trust, therefore elevating privileges to all of the trustor's roles. Only Keystone setups enabling EC2-style authentication are affected.
Created attachment 833742 [details] cve-2013-6391-master-icehouse.patch
Created attachment 833743 [details] cve-2013-6391-stable-havana.patch
Acknowledgements: Red Hat would like to thank Jeremy Stanley of the OpenStack Project for reporting this issue. Upstream acknowledges Steven Hardy of Red Hat as the original reporter.
Proposed public disclosure date/time: Wednesday, December 11, 2013, 1500UTC
This issue has been addressed in following products: OpenStack 4 for RHEL 6 Via RHSA-2014:0089 https://rhn.redhat.com/errata/RHSA-2014-0089.html
This issue has been addressed in following products: OpenStack 3 for RHEL 6 Via RHSA-2014:0368 https://rhn.redhat.com/errata/RHSA-2014-0368.html
openstack-keystone-2013.1.5-2.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.