Bug 1095981 (CVE-2014-0204) - CVE-2014-0204 openstack-keystone: user and group id mismatch
Summary: CVE-2014-0204 openstack-keystone: user and group id mismatch
Alias: CVE-2014-0204
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1101008 1112079
Blocks: 1095984
TreeView+ depends on / blocked
Reported: 2014-05-09 02:38 UTC by Murray McAllister
Modified: 2021-02-17 06:34 UTC (History)
24 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2014-06-23 06:40:43 UTC

Attachments (Terms of Use)

Description Murray McAllister 2014-05-09 02:38:27 UTC
The OpenStack project reports:

Title: Keystone user and group id mismatch
Reporter: Michael Stancampiano (IBM)
Products: Keystone
Versions: 2014.1

Michael Stancampiano from IBM reported a vulnerability in Keystone.
Someone with write access to the user and group repository (such as the
LDAP directory server) may willingly or unwillingly grant additional
rights by picking the same IDs for users and groups, resulting in roles
assigned to a group being assigned to the affected user even if he is
not a member of this group. Only Keystone setups using LDAP for the
Identity driver are affected.


Red Hat would like to thank the Openstack project for reporting this issue. Upstream acknowledges Michael Stancampiano of IBM as the original reporter.

Comment 4 Alan Pevec 2014-05-21 22:06:43 UTC
This went public today http://lists.openstack.org/pipermail/openstack-announce/2014-May/000231.html

Please create Fedora clone.

Comment 6 Murray McAllister 2014-05-25 12:18:48 UTC
Created openstack-keystone tracking bugs for this issue:

Affects: fedora-all [bug 1101008]

Comment 7 Murray McAllister 2014-05-25 12:19:27 UTC
Note that there is a regression in the original patches: https://review.openstack.org/94397

Comment 9 Garth Mollett 2014-05-28 06:57:34 UTC

Not vulnerable. This issue did not affect the versions of openstack-keystone as shipped with Red Hat Enterprise Linux OpenStack Platform 3 and 4.

Note You need to log in before you can comment on or make changes to this bug.