Bug 1139937 (CVE-2014-3621) - CVE-2014-3621 openstack-keystone: configuration data information leak through Keystone catalog
Summary: CVE-2014-3621 openstack-keystone: configuration data information leak through...
Status: CLOSED ERRATA
Alias: CVE-2014-3621
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20140916,repo...
Keywords: Security
Depends On: 1142547 1142118 1142119 1142120 1142546
Blocks: 1139952 1150355
TreeView+ depends on / blocked
 
Reported: 2014-09-10 04:01 UTC by Murray McAllister
Modified: 2016-04-26 23:19 UTC (History)
17 users (show)

(edit)
A flaw was found in the keystone catalog URL replacement. A user with permissions to register an endpoint could use this flaw to leak configuration data, including the master admin_token. Only keystone setups that allow non-cloud-admin users to create endpoints were affected by this issue.
Clone Of:
(edit)
Last Closed: 2014-11-03 12:17:44 UTC


Attachments (Terms of Use)
patch from upstream for master (5.47 KB, patch)
2014-09-10 04:03 UTC, Murray McAllister
no flags Details | Diff
patch from upstream for havana (7.26 KB, patch)
2014-09-10 04:04 UTC, Murray McAllister
no flags Details | Diff
patch from upstream for icehouse (4.74 KB, patch)
2014-09-10 04:05 UTC, Murray McAllister
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:1688 normal SHIPPED_LIVE Important: openstack-keystone security and bug fix update 2014-10-22 21:21:12 UTC
Red Hat Product Errata RHSA-2014:1789 normal SHIPPED_LIVE Important: openstack-keystone security and bug fix update 2014-11-03 13:47:16 UTC
Red Hat Product Errata RHSA-2014:1790 normal SHIPPED_LIVE Important: openstack-keystone security and bug fix update 2014-11-03 13:47:09 UTC

Description Murray McAllister 2014-09-10 04:01:52 UTC
The OpenStack project reports:

""
Title: Configuration option leak through Keystone catalog
Reporter: Brant Knudson (IBM)
Products: Keystone
Versions: up to 2013.2.3 and 2014.1 versions up to 2014.1.2.1

Description:
Brant Knudson from IBM reported a vulnerability in Keystone catalog URL
replacement. By creating a malicious endpoint a privileged user may
reveal configuration options resulting in sensitive information, like
master admin_token, being exposed through the service url. All Keystone
setups that allow non-admin users to create endpoints are affected.
""

Acknowledgements:

Red Hat would like to thank the OpenStack project for reporting this issue. Upstream acknowledges Brant Knudson from IBM as the original reporter.

Comment 2 Murray McAllister 2014-09-10 04:03:22 UTC
Created attachment 935976 [details]
patch from upstream for master

Comment 3 Murray McAllister 2014-09-10 04:04:16 UTC
Created attachment 935978 [details]
patch from upstream for havana

Comment 4 Murray McAllister 2014-09-10 04:05:29 UTC
Created attachment 935980 [details]
patch from upstream for icehouse

Comment 7 Murray McAllister 2014-09-17 03:01:24 UTC
This issue is public now:

http://www.openwall.com/lists/oss-security/2014/09/16/10

Comment 8 Murray McAllister 2014-09-17 03:02:06 UTC
Created openstack-keystone tracking bugs for this issue:

Affects: fedora-all [bug 1142546]

Comment 10 Martin Prpič 2014-10-20 12:09:50 UTC
IssueDescription:

A flaw was found in the keystone catalog URL replacement. A user with permissions to register an endpoint could use this flaw to leak configuration data, including the master admin_token. Only keystone setups that allow non-cloud-admin users to create endpoints were affected by this issue.

Comment 11 errata-xmlrpc 2014-10-22 17:22:39 UTC
This issue has been addressed in the following products:

  OpenStack 4 for RHEL 6

Via RHSA-2014:1688 https://rhn.redhat.com/errata/RHSA-2014-1688.html

Comment 12 errata-xmlrpc 2014-11-03 08:47:41 UTC
This issue has been addressed in the following products:

  OpenStack 5 for RHEL 7

Via RHSA-2014:1790 https://rhn.redhat.com/errata/RHSA-2014-1790.html

Comment 13 errata-xmlrpc 2014-11-03 08:47:57 UTC
This issue has been addressed in the following products:

  OpenStack 5 for RHEL 6

Via RHSA-2014:1789 https://rhn.redhat.com/errata/RHSA-2014-1789.html


Note You need to log in before you can comment on or make changes to this bug.