USN-4480-1: OpenStack Keystone vulnerabilities

01 September 2020

Several security issues were fixed in OpenStack Keystone.

Releases

Packages

Details

It was discovered that OpenStack Keystone incorrectly handled EC2
credentials. An authenticated attacker with a limited scope could possibly
create EC2 credentials with escalated permissions. (CVE-2020-12689,
CVE-2020-12691)

It was discovered that OpenStack Keystone incorrectly handled the list of
roles provided with OAuth1 access tokens. An authenticated user could
possibly end up with more role assignments than intended. (CVE-2020-12690)

It was discovered that OpenStack Keystone incorrectly handled EC2 signature
TTL checks. A remote attacker could possibly use this issue to reuse
Authorization headers. (CVE-2020-12692)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04

In general, a standard system update will make all the necessary changes.