Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

         Important: openstack-keystone security and bug fix update
                              23 October 2014


        AusCERT Security Bulletin Summary

Product:           openstack-keystone
Publisher:         Red Hat
Operating System:  Red Hat
                   Linux variants
Impact/Access:     Access Privileged Data -- Existing Account      
                   Denial of Service      -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-3621 CVE-2014-2828 

Original Bulletin: 

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Red Hat. It is recommended that administrators
         running openstack-keystone check for an updated version of the 
         software for their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

Hash: SHA1

                   Red Hat Security Advisory

Synopsis:          Important: openstack-keystone security and bug fix update
Advisory ID:       RHSA-2014:1688-01
Product:           Red Hat Enterprise Linux OpenStack Platform
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2014-1688.html
Issue date:        2014-10-22
CVE Names:         CVE-2014-2828 CVE-2014-3621 

1. Summary:

Updated openstack-keystone packages that fix two security issues and
multiple bugs are now available for Red Hat Enterprise Linux OpenStack
Platform 4.0.

Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux OpenStack Platform 4.0 - noarch

3. Description:

The OpenStack Identity service (keystone) authenticates and authorizes
OpenStack users by keeping track of users and their permitted activities.
The Identity service supports multiple forms of authentication, including
user name and password credentials, token-based systems, and AWS-style

A flaw was found in the keystone V3 API. An attacker could send a single
request with the same authentication method multiple times, possibly
leading to a denial of service due to generating excessive load with
minimal requests. Only keystone setups with the V3 API enabled were
affected by this issue. (CVE-2014-2828)

A flaw was found in the keystone catalog URL replacement. A user with
permissions to register an endpoint could use this flaw to leak
configuration data, including the master admin_token. Only keystone setups
that allow non-cloud-admin users to create endpoints were affected by this
issue. (CVE-2014-3621)

Red Hat would like to thank the OpenStack project for reporting
CVE-2014-3621. Upstream acknowledges Brant Knudson from IBM as the original
reporter of this issue.

The openstack-keystone packages have been upgraded to upstream version
2013.2.4, which provides a number of bug fixes over the previous version.

This update fixes the following bugs:

* When using an LDAP back end, the Identity service failed with a 'Bad
search filter' error whenever a token request was made for a user whose ID
contained a comma (for example, 'Doe, John'). However, if the user's ID
contained no comma ('John Doe'), the Identity service grants token requests
as expected. This was because the LDAP back end code of the Identity server
did not properly escape special characters when creating search filters.
This update adds the necessary escaping, thereby allowing the Identity
server to perform LDAP search operations correctly. (BZ#1099628)

* Previously, if the Identity service encountered a failed connection to a
message broker, re-connection attempts kept failing as well. This was
because the Identity service tried to reconnect to the same failing message
broker, even if there were multiple hosts configured. This has been fixed
by making the reconnect() implementation select the next broker in the
list. As a result, when multiple broker hosts are provided, the Identity
service will try the next one in the list at every connection attempt.
This means that non-failure reconnect attempts will also switch from the
current broker to the next in the list. Hence, users should not rely on any
particular order when using brokers from the list. (BZ#1082669)

* The Identity service now logs successful authentications of users.
In previous releases, only authentication failures were logged.

* When using the LDAP back end and connecting to Active Directory
anonymously, trying to use the top-level suffix as the user_tree_dn (or
tenant/role_tree_dn) failed with a communication error. This is because the
Identity service attempted to chase returned referrals, which is not
allowed by default in Active Directory for security reasons. This update
adds a new configuration option to disable referral chasing for LDAP search
operations, namely chase_referrals. When this option is disabled, the
Identity service will skip over any returned referrals without chasing
them. (BZ#1093833)

All openstack-keystone users are advised to upgrade to these updated
packages, which correct these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at

5. Bugs fixed (https://bugzilla.redhat.com/):

1082669 - connection to multiple qpidd instances is broken
1086211 - CVE-2014-2828 openstack-keystone: denial of service via V3 API authentication chaining
1099628 - LDAP non-URL safe characters cause auth failure
1139937 - CVE-2014-3621 openstack-keystone: configuration data information leak through Keystone catalog
1146083 - Rebase openstack-keystone to 2013.2.4

6. Package List:

Red Hat Enterprise Linux OpenStack Platform 4.0:



These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from

7. References:


8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2014 Red Hat, Inc.
Version: GnuPG v1


- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967