OSSA-2020-003: Keystone does not check signature TTL of the EC2 credential auth method¶

Date:: May 06, 2020
CVE:: CVE-2020-12692

Affects¶

Keystone: <15.0.1, ==16.0.0

Description¶

kay reported a vulnerability with keystone’s EC2 API. Keystone doesn’t have a signature TTL check for AWS signature V4 and an attacker can sniff the auth header, then use it to reissue an openstack token an unlimited number of times.

Errata¶

CVE-2020-12692 was assigned after the original publication date.

Patches¶

https://review.opendev.org/725385 (Rocky)
https://review.opendev.org/725069 (Stein)
https://review.opendev.org/724954 (Train)
https://review.opendev.org/724746 (Ussuri)
https://review.opendev.org/724124 (Victoria)

Credits¶

kay (CVE-2020-12692)

References¶

https://launchpad.net/bugs/1872737
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12692

Notes¶

The stable/rocky branch is under extended maintenance and will receive no new point releases, but a patch for it is provided as a courtesy.

OSSA History¶

2020-05-07 - Errata 1
2020-05-06 - Original Version

OSSA-2020-003: Keystone does not check signature TTL of the EC2 credential auth method