The OpenStack project reports:
Title: Keystone V2 trusts privilege escalation through user supplied project id
Reporter: Jamie Lennox (Red Hat)
Versions: up to 2013.2.3, and 2014.1 to 2014.1.1
Jamie Lennox from Red Hat reported a vulnerability in Keystone trusts.
By using an out of scope project id, a trustee may gain unauthorized
access if the trustor has the required roles in the requested project
id. All Keystone deployments configured to enable trusts and V2 API are
Red Hat would like to thank the OpenStack project for reporting this issue. Upstream acknowledges Jamie Lennox from Red Hat as the original reporter.
Created attachment 912842 [details]
stable/havana patch for CVE-2014-3520
Created attachment 912843 [details]
stable/icehouse patch for CVE-2014-3520
Created attachment 912844 [details]
master/juno patch for CVE-2014-3520
This issue is now public:
Created openstack-keystone tracking bugs for this issue:
Affects: fedora-19 [bug 1115640]
Affects: fedora-20 [bug 1115641]
Affects: epel-6 [bug 1115642]
A flaw was found in the way keystone handled trusts. A trustee could use an out-of-scope project ID to gain unauthorized access to a project if the trustor had the required roles for that requested project.
This issue has been addressed in following products:
OpenStack 3 for RHEL 6
OpenStack 4 for RHEL 6
Via RHSA-2014:0994 https://rhn.redhat.com/errata/RHSA-2014-0994.html
openstack-keystone-2013.2.3-5.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.