OSSA-2013-005: EC2-style authentication accepts disabled user/tenants¶

Date:: February 19, 2013
CVE:: CVE-2013-0282

Affects¶

Keystone: All versions

Description¶

Nathanael Burton reported a vulnerability in EC2-style authentication in Keystone. Keystone fails to check whether a user, tenant, or domain is enabled before authenticating a user using the EC2 api. Authenticated, but disabled users (or authenticated users in disabled tenants or domains) could therefore retain access rights that were thought removed. Only setups enabling EC2-style authentication are affected. To disable EC2-style authentication to work around the issue, remove the EC2 extension (keystone.contrib.ec2:Ec2Extension.factory) from the keystone API pipeline in keystone.conf.

Patches¶

https://review.openstack.org/#/c/22321 (Essex)
https://review.openstack.org/#/c/22320 (Folsom)
https://review.openstack.org/#/c/22319 (Grizzly)

Credits¶

Nathanael Burton from National Security Agency (CVE-2013-0282)

References¶

https://launchpad.net/bugs/1121494
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0282

OSSA-2013-005: EC2-style authentication accepts disabled user/tenants