Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2012-5571

Overview

Vulnerability Score 3.5 3.5
CVE Id CVE-2012-5571
Last Modified 25 Feb 2013 11:52:03
Published 17 Dec 2012 08:55:03
Confidentiality Impact NONE NONE
Integrity Impact PARTIAL PARTIAL
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication SINGLE_INSTANCE

CVE-2012-5571

Summary

OpenStack Keystone Essex (2012.1) and Folsom (2012.2) does not properly handle EC2 tokens when the user role has been removed from a tenant, which allows remote authenticated users to bypass intended authorization restrictions by leveraging a token for the removed user role.

Vulnerable Systems

Application

  • Openstack Essex 2012.1

  • Openstack Folsom 2012.2


References

CONFIRM - https://github.com/openstack/keystone/commit/9d68b40cb9ea818c48152e6c712ff41586ad9653

CONFIRM - https://github.com/openstack/keystone/commit/8735009dc5b895db265a1cd573f39f4acfca2a19

CONFIRM - https://github.com/openstack/keystone/commit/37308dd4f3e33f7bd0f71d83fd51734d1870713b

CONFIRM - https://bugs.launchpad.net/keystone/+bug/1064914

XF - keystone-tenant-sec-bypass(80333)

UBUNTU - USN-1641-1

MLIST - [oss-security] 20121128 [OSSA 2012-019] Extension of token validity through token chaining (CVE-2012-5563)

MLIST - [oss-security] 20121128 [OSSA 2012-018] EC2-style credentials invalidation issue (CVE-2012-5571)

SECUNIA - 51436

SECUNIA - 51423

REDHAT - RHSA-2012:1556

FEDORA - FEDORA-2012-19341

REDHAT - RHSA-2012:1557

BID - 56726


Last Updated: 27 May 2016 10:57:37