On 12/11/19 11:10 PM, Salvatore Bonaccorso wrote: > Source: keystone > Version: 2:16.0.0-4 > Severity: grave > Tags: security upstream > Forwarded: https://bugs.launchpad.net/keystone/+bug/1855080 > > Hi, > > The following vulnerability was published for keystone. > > CVE-2019-19687[0]: > | OpenStack Keystone 15.0.0 and 16.0.0 is affected by Data Leakage in > | the list credentials API. Any user with a role on a project is able to > | list any credentials with the /v3/credentials API when enforce_scope > | is false. Users with a role on a project are able to view any other > | users' credentials, which could (for example) leak sign-on information > | for Time-based One Time Passwords (TOTP). Deployments with > | enforce_scope set to false are affected. (There will be a slight > | performance impact for the list credentials API once this issue is > | fixed.) > > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2019-19687 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19687 > [1] https://bugs.launchpad.net/keystone/+bug/1855080 > > Regards, > Salvatore
Hi Salvatore, As ugly as it may look like for somebody that doesn't know about what the "credentials" thing is for Keystone, the Keystone "credentials" API is *not* the main auth API part of Keystone/OpenStack. Anyone using the OpenStack API doesn't need this, and it may not even be activated by default on some deployments (one need to create special credentials keys in the /etc/keystone/credential-keys for the "openstack ec2 credential create" command to work). This API is "only" used when using the EC2 API plugin for Nova, which isn't packaged in Debian (and which I don't want to work on, as I don't think that's necessary), and if using the S3 API for Swift (this one is more commonly used and IMO more useful...). I'm writing this for anyone looking at the BTS and not knowing what this all is about. That being said, I'm applying upstream fix right away now. Cheers, Thomas Goirand (zigo)
