Your submission was sent successfully! Close

CVE-2013-2157

Published: 13 June 2013

OpenStack Keystone Folsom, Grizzly before 2013.1.3, and Havana, when using LDAP with Anonymous binding, allows remote attackers to bypass authentication via an empty password.

Notes

AuthorNote
seth-arnold
patches in Message-ID: <51B1A6BC.9050307@openstack.org>
jdstrand
12.04 LTS does not have 0d32a417c811ce37b1b7ea1fbbc0a8376b9b3723
which is required to be exposed to this bug (ie anonymous binds fail without
it)
If 0d32a417c811ce37b1b7ea1fbbc0a8376b9b3723 is applied then the
patch for folsom will work with some light modifications.
Priority

Medium

Status

Package Release Status
keystone
Launchpad, Ubuntu, Debian
lucid Does not exist

precise Not vulnerable

quantal
Released (2012.2.4-0ubuntu3.1)
raring
Released (1:2013.1.1-0ubuntu2.1)
upstream
Released (1:2013.2~rc4)
Patches:
upstream: https://review.openstack.org/gitweb?p=openstack%2Fkeystone.git;a=commitdiff;h=35eb7bbc0d28721122c25a64ab687af23ecf6000 (folsom)
upstream: https://review.openstack.org/gitweb?p=openstack%2Fkeystone.git;a=commitdiff;h=c100fd2f1fe024cb2f731bfdd283cee36259e6e3 (grizzly)