Bug 1112668 (CVE-2014-3520) - CVE-2014-3520 openstack-keystone: Keystone V2 trusts privilege escalation through user supplied project id
Summary: CVE-2014-3520 openstack-keystone: Keystone V2 trusts privilege escalation thr...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-3520
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1115643 1115640 1115641 1115642 1116152 1116153 1116481 1118196
Blocks: 1112670
TreeView+ depends on / blocked
 
Reported: 2014-06-24 12:49 UTC by Vasyl Kaigorodov
Modified: 2019-09-29 13:18 UTC (History)
17 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A flaw was found in the way keystone handled trusts. A trustee could use an out-of-scope project ID to gain unauthorized access to a project if the trustor had the required roles for that requested project.
Clone Of:
Environment:
Last Closed: 2014-08-01 05:41:48 UTC


Attachments (Terms of Use)
stable/havana patch for CVE-2014-3520 (4.10 KB, patch)
2014-06-27 14:21 UTC, Vincent Danen
no flags Details | Diff
stable/icehouse patch for CVE-2014-3520 (4.10 KB, patch)
2014-06-27 14:21 UTC, Vincent Danen
no flags Details | Diff
master/juno patch for CVE-2014-3520 (4.14 KB, patch)
2014-06-27 14:22 UTC, Vincent Danen
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:0994 normal SHIPPED_LIVE Important: openstack-keystone security update 2014-07-31 19:18:04 UTC

Description Vasyl Kaigorodov 2014-06-24 12:49:53 UTC
The OpenStack project reports:

...
Title: Keystone V2 trusts privilege escalation through user supplied project id
Reporter: Jamie Lennox (Red Hat)
Products: Keystone
Versions: up to 2013.2.3, and 2014.1 to 2014.1.1

Description:
Jamie Lennox from Red Hat reported a vulnerability in Keystone trusts.
By using an out of scope project id, a trustee may gain unauthorized
access if the trustor has the required roles in the requested project
id. All Keystone deployments configured to enable trusts and V2 API are
affected.
...

Acknowledgements:

Red Hat would like to thank the OpenStack project for reporting this issue. Upstream acknowledges Jamie Lennox from Red Hat as the original reporter.

Comment 1 Vincent Danen 2014-06-27 14:21:22 UTC
Created attachment 912842 [details]
stable/havana patch for CVE-2014-3520

Comment 2 Vincent Danen 2014-06-27 14:21:56 UTC
Created attachment 912843 [details]
stable/icehouse patch for CVE-2014-3520

Comment 3 Vincent Danen 2014-06-27 14:22:28 UTC
Created attachment 912844 [details]
master/juno patch for CVE-2014-3520

Comment 7 Vincent Danen 2014-07-02 19:48:44 UTC
Created openstack-keystone tracking bugs for this issue:

Affects: fedora-19 [bug 1115640]
Affects: fedora-20 [bug 1115641]
Affects: epel-6 [bug 1115642]

Comment 22 Martin Prpič 2014-07-31 14:50:54 UTC
IssueDescription:

A flaw was found in the way keystone handled trusts. A trustee could use an out-of-scope project ID to gain unauthorized access to a project if the trustor had the required roles for that requested project.

Comment 23 errata-xmlrpc 2014-07-31 15:18:23 UTC
This issue has been addressed in following products:

  OpenStack 3 for RHEL 6
  OpenStack 4 for RHEL 6

Via RHSA-2014:0994 https://rhn.redhat.com/errata/RHSA-2014-0994.html

Comment 24 Fedora Update System 2014-08-07 15:24:20 UTC
openstack-keystone-2013.2.3-5.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.