OSSA-2021-003: Account name and UUID oracles in account locking

Date

August 10, 2021

CVE

CVE-2021-38155

Affects

  • Keystone: >=10.0.0 <16.0.2, >=17.0.0 <17.0.1, >=18.0.0 <18.0.1, >=19.0.0 <19.0.1

Description

Samuel de Medeiros Queiroz with Oi Cloud reported a vulnerability affecting Keystone account locking. By guessing the name of an account and failing to authenticate multiple times, any unauthenticated actor could both confirm the account exists and obtain that account’s corresponding UUID, which might be leveraged for other unrelated attacks. All Keystone deployments enabling security_compliance.lockout_failure_attempts are affected.

Patches

Credits

  • Samuel de Medeiros Queiroz from Oi Cloud (CVE-2021-38155)

References