[Secure-testing-team] Bug#700947: CVE-2013-0282: Ensure EC2 users and tenant are enabled
Thomas Goirand
zigo at debian.org
Tue Feb 19 15:59:51 UTC 2013
Package: keystone
Version: 2012.1.1-12
Severity: grave
Tags: security
Nathanael Burton reported a vulnerability in EC2-style authentication in
Keystone. Keystone fails to check whether a user, tenant, or domain is enabled
before authenticating a user using the EC2 api. Authenticated, but disabled
users (or authenticated users in disabled tenants or domains) could therefore
retain access rights that were thought removed. Only setups enabling EC2-style
authentication are affected. To disable EC2-style authentication to work
around the issue, remove the EC2 extension from the keystone API pipeline in
keystone.conf.
Patched version is ready, upload is comming.
Thomas Goirand (zigo)
More information about the Secure-testing-team
mailing list