OSSA-2020-003: Keystone does not check signature TTL of the EC2 credential auth method

Date

May 06, 2020

CVE

CVE-2020-12692

Affects

  • Keystone: <15.0.1, ==16.0.0

Description

kay reported a vulnerability with keystone’s EC2 API. Keystone doesn’t have a signature TTL check for AWS signature V4 and an attacker can sniff the auth header, then use it to reissue an openstack token an unlimited number of times.

Errata

CVE-2020-12692 was assigned after the original publication date.

Credits

  • kay (CVE-2020-12692)

Notes

  • The stable/rocky branch is under extended maintenance and will receive no new point releases, but a patch for it is provided as a courtesy.

OSSA History

  • 2020-05-07 - Errata 1

  • 2020-05-06 - Original Version