OSSA-2012-015: Some actions in Keystone admin API do not validate token

Date:

September 28, 2012

CVE:

CVE-2012-4456

Affects

• Keystone: Essex (prior to 2012.1.2), Folsom (prior to folsom-2 development milestone)

Description

Jaxon Xu reported a vulnerability in Keystone. Two admin API actions did not require a valid token. The first was listing roles for a user. The second as the ability to get, create, and delete services.

Patches

• https://review.openstack.org/#/c/9014 (Essex)

• https://review.openstack.org/#/c/9015 (Essex)

• https://review.openstack.org/#/c/8104 (Folsom)

• https://review.openstack.org/#/c/8105 (Folsom)

Credits

• Jason Xu (CVE-2012-4456)

References

• https://launchpad.net/bugs/1006815

• https://launchpad.net/bugs/1006822

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4456