A security flaw was found in the way Keystone, a Python implementation of the OpenStack identity service API, performed user authentication when the LDAP backend was used (previously user-provided empty LDAP password resulted into an anonymous LDAP bind to be performed, resulting into successful user authentication). A remote attacker could use this flaw to obtain unauthorized access to the OpenStack functionality (user account impersonation, retrieval of valid authentication tokens). Note: This issue solely affects only Keystone configurations using the LDAP authentication backend. Acknowledgements: Red Hat would like to thank Thierry Carrez of OpenStack upstream for reporting this issue. Upstream acknowledges Jose Castro Leon of CERN as the original issue reporter.
Created attachment 758168 [details] Proposed upstream patch for the issue against master branch
Created attachment 758169 [details] Proposed upstream patch for the issue against grizzly branch
Created attachment 758170 [details] Proposed upstream patch for the issue against folsom branch
Preliminary embargo date for this issue has been set up by OpenStack upstream to Thursday, 13-th of June 2013, 15:00 UTC time.
This issue affects the versions of the openstack-keystone package, as shipped with Fedora release of 17, 18, Rawhide and Fedora EPEL-6.
This issue did NOT affect the versions of the python-keystoneclient, as shipped with Fedora release of 17, 18, Rawhide and Fedora EPEL-6.
Created openstack-keystone tracking bugs for this issue Affects: fedora-all [bug 974950] Affects: epel-6 [bug 974951]
This issue has been addressed in following products: OpenStack 3 for RHEL 6 Via RHSA-2013:0994 https://rhn.redhat.com/errata/RHSA-2013-0994.html
openstack-keystone-2012.2.4-5.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: OpenStack Folsom for RHEL 6 Via RHSA-2013:1083 https://rhn.redhat.com/errata/RHSA-2013-1083.html
openstack-keystone-2013.1.2-3.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
openstack-keystone-2012.2.4-5.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.