Russel Bryant (rbryant) on behalf of the OpenStack project reports: Title: Lack of authorization for adding users to tenants Impact: Critical Reporter: Dolph Mathews (Rackspace) Products: Keystone Affects: Essex, Folsom Description: Dolph Mathews reported a vulnerability in Keystone. When attempting to update a user's default tenant, Keystone will only partially deny the request when a user is not authorized to complete this action. The API responds with 401 Not Authorized and the user's default tenant is not changed. However, the user is still granted membership to this new tenant. The result is that any client that can reach the administrative API (deployed on port 35357, by default) can add any user to any tenant.
Created attachment 607673 [details] CVE-2012-3542-core.py.patch
Created openstack-keystone tracking bugs for this issue Affects: fedora-all [bug 853244]
Created openstack-keystone tracking bugs for this issue Affects: epel-6 [bug 853245]
This is now public https://lists.launchpad.net/openstack/msg16282.html
Upstream patches: https://github.com/openstack/keystone/commit/5438d3b5a219d7c8fa67e66e538d325a61617155 https://github.com/openstack/keystone/commit/c13d0ba606f7b2bdc609a7f388334e5efec3f3aa
Acknowledgements: Red Hat would like to thank Dolph Mathews for reporting this issue.
This issue has been addressed in following products: OpenStack Essex for RHEL 6 Via RHSA-2012:1378 https://rhn.redhat.com/errata/RHSA-2012-1378.html