Bug 953910 (CVE-2013-1977) - CVE-2013-1977 openstack-keystone: Insecure management of LDAP and admin_token configuration file values
Summary: CVE-2013-1977 openstack-keystone: Insecure management of LDAP and admin_token...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2013-1977
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 953921
TreeView+ depends on / blocked
 
Reported: 2013-04-19 13:51 UTC by Jan Lieskovsky
Modified: 2021-02-17 07:47 UTC (History)
11 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2013-08-09 03:55:24 UTC
Embargoed:

Attachments (Terms of Use)

Description Jan Lieskovsky 2013-04-19 13:51:10 UTC 
A security flaw was found in the way Openstack Keystone (previously) performed management of LDAP password and admin_token Keystone daemon configuration file values. A local attacker could use this flaw to obtain sensitive information.

References:
[1] https://bugs.launchpad.net/keystone/+bug/1168252
[2] http://www.openwall.com/lists/oss-security/2013/04/19/2

Relevant upstream patch (Gerrit form):
[3] https://review.openstack.org/#/c/26826/
Comment 2 Jan Lieskovsky 2013-04-24 07:46:16 UTC 
Further CVE-2013-1977 vs CVE-2013-2006 ids disambiguation:
  https://bugs.launchpad.net/devstack/+bug/1168252/comments/7
Comment 3 Vincent Danen 2013-05-09 17:49:13 UTC 
CVE-2013-1977 does not affect our installer, as it was hardened previously and has 0600 permissions, as noted on oss-sec:

http://seclists.org/oss-sec/2013/q2/126

Statement:

Not vulnerable.  This issue did not affect the version of openstack-keystone as shipped with Red Hat OpenStack Folsom.
Note You need to log in before you can comment on or make changes to this bug.