Jason Xu (yinyangxu) discovered several vulnerabilities in OpenStack Keystone token verification: The first occurs in the API /v2.0/OS-KSADM/services and /v2.0/OS-KSADM/services/{service_id}, the second occurs in /v2.0/tenants/{tenant_id}/users/{user_id}/roles In both cases the OpenStack Keystone code fails to check if the tokens are valid. These issues have been addressed by adding checks in the form of test_service_crud_requires_auth() and test_user_role_list_requires_auth(). External references: https://bugs.launchpad.net/keystone/+bug/1006822 https://bugs.launchpad.net/keystone/+bug/1006815
Created openstack-keystone tracking bugs for this issue Affects: fedora-all [bug 861182]
Created openstack-keystone tracking bugs for this issue Affects: epel-6 [bug 861183]
Created attachment 618256 [details] CVE-2012-4456-keystone-1006815.patch
Created attachment 618257 [details] CVE-2012-4456-keystone-1006822.patch
Official vendor advisory: https://lists.launchpad.net/openstack/msg17034.html
This issue has been addressed in following products: OpenStack Essex for RHEL 6 Via RHSA-2012:1378 https://rhn.redhat.com/errata/RHSA-2012-1378.html