Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 489750 (CVE-2013-4477) - sys-auth/keystone: Unintentional role granting with Keystone LDAP backend (CVE-2013-4477)
Summary: sys-auth/keystone: Unintentional role granting with Keystone LDAP backend (CV...
Status: RESOLVED FIXED
Alias: CVE-2013-4477
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: http://seclists.org/oss-sec/2013/q4/186
Whiteboard: ~4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-10-29 11:45 UTC by Mikle Kolyada
Modified: 2013-11-19 04:13 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2013-10-29 11:45:31 UTC
from ${URL}:

A vulnerability was discovered in OpenStack (see below). In order to
ensure full traceability, we need a CVE number assigned that we can
attach to further notifications. This issue is already public,
although an advisory was not sent yet.

"""
Title: Unintentional role granting with Keystone LDAP backend
Reporter: The IBM OpenStack test team
Products: Keystone
Affects: Grizzly, Havana

Description:
The IBM OpenStack test team reported a vulnerability in role change
code within the Keystone LDAP backend. When a role on a tenant is
removed from a user, and that user doesn't have that role on the
tenant, then the user may actually be granted the role on the tenant.
A user could use social engineering and leverage that vulnerability to
get extra roles granted, or may accidentally be granted extra roles.
Only Keystone setups using a LDAP backend are affected.
"""

References:
https://bugs.launchpad.net/keystone/+bug/1242855

Thanks in advance,

- -- 
Thierry Carrez (ttx)
OpenStack Vulnerability Management Team
Comment 1 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2013-10-29 11:50:30 UTC
fixed by upstream:

https://review.openstack.org/#/c/53146/
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2013-11-05 02:26:02 UTC
CVE-2013-4477 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4477):
  The LDAP backend in OpenStack Identity (Keystone) Grizzly and Havana, when
  removing a role on a tenant for a user who does not have that role, adds the
  role to the user, which allows local users to gain privileges.
Comment 3 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-11-19 03:52:56 UTC
fixed in tree

keystone-2013.1.4-r1.ebuild:	"${FILESDIR}/2013.1.4-CVE-2013-4477.patch"
keystone-2013.2-r1.ebuild:	"${FILESDIR}/2013.2-CVE-2013-4477.patch"