Hi Thomas! On Thu, Dec 12, 2019 at 10:13:25PM +0100, Thomas Goirand wrote: > On 12/11/19 11:10 PM, Salvatore Bonaccorso wrote: > > Source: keystone > > Version: 2:16.0.0-4 > > Severity: grave > > Tags: security upstream > > Forwarded: https://bugs.launchpad.net/keystone/+bug/1855080 > > > > Hi, > > > > The following vulnerability was published for keystone. > > > > CVE-2019-19687[0]: > > | OpenStack Keystone 15.0.0 and 16.0.0 is affected by Data Leakage in > > | the list credentials API. Any user with a role on a project is able to > > | list any credentials with the /v3/credentials API when enforce_scope > > | is false. Users with a role on a project are able to view any other > > | users' credentials, which could (for example) leak sign-on information > > | for Time-based One Time Passwords (TOTP). Deployments with > > | enforce_scope set to false are affected. (There will be a slight > > | performance impact for the list credentials API once this issue is > > | fixed.) > > > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2019-19687 > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19687 > > [1] https://bugs.launchpad.net/keystone/+bug/1855080 > > > > Regards, > > Salvatore > > Hi Salvatore, > > As ugly as it may look like for somebody that doesn't know about what > the "credentials" thing is for Keystone, the Keystone "credentials" API > is *not* the main auth API part of Keystone/OpenStack. Anyone using the > OpenStack API doesn't need this, and it may not even be activated by > default on some deployments (one need to create special credentials keys > in the /etc/keystone/credential-keys for the "openstack ec2 credential > create" command to work). > > This API is "only" used when using the EC2 API plugin for Nova, which > isn't packaged in Debian (and which I don't want to work on, as I don't > think that's necessary), and if using the S3 API for Swift (this one is > more commonly used and IMO more useful...). > > I'm writing this for anyone looking at the BTS and not knowing what this > all is about. > > That being said, I'm applying upstream fix right away now.
Many thanks for the detailed explanation! Regards, Salvatore
