OSSA-2013-017: Issues in Keystone middleware memcache signing/encryption feature

OSSA-2013-017: Issues in Keystone middleware memcache signing/encryption feature

Date

June 19, 2013

CVE

CVE-2013-2166, CVE-2013-2167

Affects

  • Python-keystoneclient: Versions 0.2.3 up to 0.2.5

Description

Paul McMillan from Nebula reported multiple issues in the implementation of memcache signing/encryption feature in Keystone client middleware. An attacker with direct write access to the memcache backend (or in a man-in-the-middle position) could insert malicious data and potentially bypass the encryption (CVE-2013-2166) or signing (CVE-2013-2167) security strategy that was specified. Only setups that make use of memcache caching in the Keystone middleware (specify memcache_servers) and using ENCRYPT or MAC as their memcache_security_strategy are affected.

Patches

Credits

  • Paul McMillan from Nebula (CVE-2013-2166, CVE-2013-2167)

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.