Bug 895847 (CVE-2014-3621) - VUL-0: CVE-2014-3621: openstack-keystone: Configuration option leak through Keystone catalog
Summary: VUL-0: CVE-2014-3621: openstack-keystone: Configuration option leak through K...
Status: RESOLVED FIXED
Alias: CVE-2014-3621
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Deadline: 2014-10-24
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: cloud:nextupdate maint:released:sle...
Keywords:
Depends on:
Blocks:
 
Reported: 2014-09-09 15:41 UTC by Marcus Meissner
Modified: 2015-03-25 15:53 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
cve-2014-3621-master-juno.patch (5.47 KB, patch)
2014-09-09 15:41 UTC, Marcus Meissner 		Details | Diff
cve-2014-3621-stable-havana.patch (7.26 KB, patch)
2014-09-09 15:42 UTC, Marcus Meissner 		Details | Diff
cve-2014-3621-stable-icehouse.patch (4.74 KB, patch)
2014-09-09 15:42 UTC, Marcus Meissner 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2014-09-09 15:41:15 UTC 
embargoed, via preannouncement

CRD 2014-09-16, 1500UTC

This is an advance warning of a vulnerability discovered in OpenStack,
to give you, as downstream stakeholders, a chance to coordinate the
release of fixes and reduce the vulnerability window. Please treat the
following information as confidential until the proposed public
disclosure date.

Title: Configuration option leak through Keystone catalog
Reporter: Brant Knudson (IBM)
Products: Keystone
Versions: up to 2013.2.3 and 2014.1 versions up to 2014.1.2.1

Description:
Brant Knudson from IBM reported a vulnerability in Keystone catalog URL
replacement. By creating a malicious endpoint a privileged user may
reveal configuration options resulting in sensitive information, like
master admin_token, being exposed through the service url. All Keystone
setups that allow non-admin users to create endpoints are affected.

Proposed patch:
See attached patches. Unless a flaw is discovered in them, these patches
will be merged to stable/havana, stable/icehouse and master (Juno
development branch) on the public disclosure date.

CVE: CVE-2014-3621

Proposed public disclosure date/time:
2014-09-16, 1500UTC
Please do not make the issue public (or release public patches) before
this coordinated embargo date.

Regards,

-- 
Tristan Cacqueray
OpenStack Vulnerability Management Team
Comment 1 Marcus Meissner 2014-09-09 15:41:46 UTC 
Created attachment 605603 [details]
cve-2014-3621-master-juno.patch

patch for Juno
Comment 2 Marcus Meissner 2014-09-09 15:42:03 UTC 
Created attachment 605604 [details]
cve-2014-3621-stable-havana.patch

patch for havana
Comment 3 Marcus Meissner 2014-09-09 15:42:24 UTC 
Created attachment 605605 [details]
cve-2014-3621-stable-icehouse.patch

patch for icehouse
Comment 4 Swamp Workflow Management 2014-09-09 22:00:57 UTC 
bugbot adjusting priority
Comment 5 SMASH SMASH 2014-09-10 06:50:14 UTC 
Affected packages:

SLE-11-SP3-CL4: openstack-keystone
SLE-11-SP3-PRODUCTS: openstack-keystone
SLE-11-SP3-UPTU: openstack-keystone
Comment 6 Dirk Mueller 2014-09-10 13:48:04 UTC 
not public, so nothing that we can do about it.
Comment 7 Marcus Meissner 2014-09-17 05:12:58 UTC 
public via oss-sec now
Comment 8 Dirk Mueller 2014-09-19 07:11:13 UTC 
It is already in our packages.
Comment 10 Swamp Workflow Management 2014-09-26 11:25:36 UTC 
An update workflow for this issue was started.
This issue was rated as low.
Please submit fixed packages until 2014-10-24.
https://swamp.suse.de/webswamp/wf/59124
Comment 11 Swamp Workflow Management 2014-11-06 11:04:49 UTC 
SUSE-SU-2014:1365-1: An update that solves one vulnerability and has three fixes is now available.

Category: security (low)
Bug References: 895847,897467,897744,897815
CVE References: CVE-2014-3621
Sources used:
SUSE Cloud 4 (src):    openstack-keystone-2014.1.3.dev18.g878f12e-0.7.1, openstack-keystone-doc-2014.1.3.dev18.g878f12e-0.7.1
Comment 13 Johannes Segitz 2015-03-25 15:53:09 UTC 
all updates released