CVE-2012-5571

Related Files

Red Hat Security Advisory 2012-1557-01

Posted Dec 11, 2012

Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2012-1557-01 - The openstack-keystone packages provide Keystone, a Python implementation of the OpenStack identity service API, which provides Identity, Token, Catalog, and Policy services. The openstack-keystone packages have been upgraded to upstream version 2012.2.1, which provides a number of bug fixes and enhancements over the previous version. This update also fixes the following security issues: A flaw in Keystone allowed an attacker with access to the web and network interfaces to continue using chained tokens linked to tokens that had expired. This would allow the attacker to continue using the tokens despite the parent token being expired, giving them continued access to OpenStack services.

tags | advisory, web, python

systems | linux, redhat

advisories | CVE-2012-5563, CVE-2012-5571

SHA-256 | 049422a68c95f666521fc11188f18b634060976a525e6b3591406c740aafbde2

Download | Favorite | View

Red Hat Security Advisory 2012-1556-01

Posted Dec 11, 2012

Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2012-1556-01 - The openstack-keystone packages provide Keystone, a Python implementation of the OpenStack identity service API, which provides Identity, Token, Catalog, and Policy services. The openstack-keystone packages have been upgraded to upstream version 2012.1.3, which provides a number of bug fixes and enhancements over the previous version. This update also fixes the following security issues: It was found that Keystone did not correctly handle users being removed from tenants when Amazon Elastic Compute Cloud style credentials were in use. When a user was removed from a tenant, they retained the privileges provided by that tenant, allowing them to access resources they should no longer have access to.

tags | advisory, python

systems | linux, redhat

advisories | CVE-2012-5483, CVE-2012-5571

SHA-256 | c03a7ac3f00a8f63456f921f8cd1f743a8d990c673054c23a88f4c3f9099534a

Download | Favorite | View

Ubuntu Security Notice USN-1641-1

Posted Nov 29, 2012

Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 1641-1 - Vijaya Erukala discovered that Keystone did not properly invalidate EC2-style credentials such that if credentials were removed from a tenant, an authenticated and authorized user using those credentials may still be allowed access beyond the account owner's expectations. It was discovered that Keystone did not properly implement token expiration. A remote attacker could use this to continue to access an account that is disabled or has a changed password. This issue was previously fixed as CVE-2012-3426 but was reintroduced in Ubuntu 12.10. Various other issues were also addressed.

tags | advisory, remote

systems | linux, ubuntu

advisories | CVE-2012-5571, CVE-2012-5563, CVE-2012-5563, CVE-2012-5571

SHA-256 | 1d58a17a27c95d9ddb96902292330a3f808876fe7de7eb0ec28e0a1fc6c9ba2c

Download | Favorite | View