The OpenStack project reports: "" Title: Configuration option leak through Keystone catalog Reporter: Brant Knudson (IBM) Products: Keystone Versions: up to 2013.2.3 and 2014.1 versions up to 2014.1.2.1 Description: Brant Knudson from IBM reported a vulnerability in Keystone catalog URL replacement. By creating a malicious endpoint a privileged user may reveal configuration options resulting in sensitive information, like master admin_token, being exposed through the service url. All Keystone setups that allow non-admin users to create endpoints are affected. "" Acknowledgements: Red Hat would like to thank the OpenStack project for reporting this issue. Upstream acknowledges Brant Knudson from IBM as the original reporter.
Created attachment 935976 [details] patch from upstream for master
Created attachment 935978 [details] patch from upstream for havana
Created attachment 935980 [details] patch from upstream for icehouse
This issue is public now: http://www.openwall.com/lists/oss-security/2014/09/16/10
Created openstack-keystone tracking bugs for this issue: Affects: fedora-all [bug 1142546]
IssueDescription: A flaw was found in the keystone catalog URL replacement. A user with permissions to register an endpoint could use this flaw to leak configuration data, including the master admin_token. Only keystone setups that allow non-cloud-admin users to create endpoints were affected by this issue.
This issue has been addressed in the following products: OpenStack 4 for RHEL 6 Via RHSA-2014:1688 https://rhn.redhat.com/errata/RHSA-2014-1688.html
This issue has been addressed in the following products: OpenStack 5 for RHEL 7 Via RHSA-2014:1790 https://rhn.redhat.com/errata/RHSA-2014-1790.html
This issue has been addressed in the following products: OpenStack 5 for RHEL 6 Via RHSA-2014:1789 https://rhn.redhat.com/errata/RHSA-2014-1789.html