Add OSSA-2021-003 (CVE-2021-38155)

Change-Id: Ic9c5d7a45be8a083931b2600adbc76c9e292d0ab Closes-Bug: #1688137
2021-08-05 18:25:32 +00:00 · 2021-08-05 18:25:32 +00:00 · cf49e91bb4
parent 08f2c78ccf
commit cf49e91bb4
1 changed files with 46 additions and 0 deletions
--- a/ossa/OSSA-2021-003.yaml
+++ b/ossa/OSSA-2021-003.yaml
@ -0,0 +1,46 @@
+date: 2021-08-10
+
+id: OSSA-2021-003
+
+title: Account name and UUID oracles in account locking
+
+description: >
+  Samuel de Medeiros Queiroz with Oi Cloud reported a vulnerability affecting
+  Keystone account locking. By guessing the name of an account and failing to
+  authenticate multiple times, any unauthenticated actor could both confirm the
+  account exists and obtain that account's corresponding UUID, which might be
+  leveraged for other unrelated attacks. All Keystone deployments enabling
+  security_compliance.lockout_failure_attempts are affected.
+
+affected-products:
+  - product: Keystone
+    version: '>=10.0.0 <16.0.2, >=17.0.0 <17.0.1, >=18.0.0 <18.0.1, >=19.0.0 <19.0.1'
+
+vulnerabilities:
+  - cve-id: CVE-2021-38155
+
+reporters:
+  - name: Samuel de Medeiros Queiroz
+    affiliation: Oi Cloud
+    reported:
+      - CVE-2021-38155
+
+issues:
+  links:
+    - https://launchpad.net/bugs/1688137
+
+reviews:
+  xena:
+    - https://review.opendev.org/759940
+
+  wallaby:
+    - https://review.opendev.org/790440
+
+  victoria:
+    - https://review.opendev.org/790442
+
+  ussuri:
+    - https://review.opendev.org/790443
+
+  train:
+    - https://review.opendev.org/790444