CVE-2014-3621

Published: 02 October 2014

The catalog url replacement in OpenStack Identity (Keystone) before 2013.2.3 and 2014.1 before 2014.1.2.1 allows remote authenticated users to read sensitive configuration options via a crafted endpoint, as demonstrated by "$(admin_token)" in the publicurl endpoint field.

Priority

Medium

Status

Package Release Status
keystone
Launchpad, Ubuntu, Debian
Upstream
Released (2013.2.3, 2014.1.2.1)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (1:2014.2~rc1-0ubuntu1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was released [1:2014.1.3-0ubuntu1])
Patches:
Upstream: https://review.openstack.org/121889 (juno)
Upstream: https://review.openstack.org/121890 (icehouse)
Upstream: https://review.openstack.org/121891 (havana)

Notes

AuthorNote
jdstrand
12.04 is affected. Create test service and malicious endpoint as
per the bug, then do (assumes 'testadmin' is in the 'admin' project (use
tenant id from `keystone tenant-list|grep admin`):
curl -k -X 'POST' -v http://127.0.0.1:5000/v2.0/tokens -d '{"auth":{"passwordCredentials":{"username": "testadmin", "password":"<pass>"}, "tenantId": "<id>"}}' -H 'Content-type: application/json' | python -m json.tool

References

Bugs