OSVDB ID: 85113

Title: OpenStack Keystone User Tenant Update Handling Admin API Access Restriction Bypass

Info

Disclosure

Aug 30, 2012

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Aug 24, 2012

Description

OpenStack Keystone contains a flaw that is triggered during the updating of user tenants. This may allow a remote attacker to gain membership to the new tenant and gain access to administrative APIs.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Solution: Patch / RCS
Exploit: Exploit Public
Disclosure: Vendor Verified

Solution

Currently, there are no known workarounds or upgrades to correct this issue. However, a patch has been committed to the CVS/GIT repository that addresses this vulnerability. Until it is incorporated into the next release of the software, manually patching an existing installation is the only known available solution. Check the vendor advisory or solution URL in the references section.

Products

OpenStack, LLC.

OpenStack Keystone

Essex (2012.1)

References

CVE ID: 2012-3542 (see also: NVD)
Secunia Advisory ID: 50467 50494
Mail List Post: http://www.openwall.com/lists/oss-security/2012/08/30/6
Vendor Specific News/Changelog Entry: http://www.ubuntu.com/usn/usn-1552-1/
https://bugs.launchpad.net/keystone/+bug/1040626

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/85113