OSSA-2021-003: Account name and UUID oracles in account locking¶

Date:: August 10, 2021
CVE:: CVE-2021-38155

Affects¶

Keystone: >=10.0.0 <16.0.2, >=17.0.0 <17.0.1, >=18.0.0 <18.0.1, >=19.0.0 <19.0.1

Description¶

Samuel de Medeiros Queiroz with Oi Cloud reported a vulnerability affecting Keystone account locking. By guessing the name of an account and failing to authenticate multiple times, any unauthenticated actor could both confirm the account exists and obtain that account’s corresponding UUID, which might be leveraged for other unrelated attacks. All Keystone deployments enabling security_compliance.lockout_failure_attempts are affected.

Patches¶

https://review.opendev.org/790444 (Train)
https://review.opendev.org/790443 (Ussuri)
https://review.opendev.org/790442 (Victoria)
https://review.opendev.org/790440 (Wallaby)
https://review.opendev.org/759940 (Xena)

Credits¶

Samuel de Medeiros Queiroz from Oi Cloud (CVE-2021-38155)

References¶

https://launchpad.net/bugs/1688137
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38155

OSSA-2021-003: Account name and UUID oracles in account locking