date: 2013-02-19

id: OSSA-2013-005

title: 'EC2-style authentication accepts disabled user/tenants'

description: 'Nathanael Burton reported a vulnerability in EC2-style authentication
  in Keystone. Keystone fails to check whether a user, tenant, or domain is enabled  before
  authenticating a user using the EC2 api. Authenticated, but disabled users (or authenticated
  users in disabled tenants or domains) could therefore retain access rights that
  were thought removed. Only setups enabling EC2-style authentication are affected.
  To disable EC2-style authentication to work around the issue, remove the EC2 extension

  (keystone.contrib.ec2:Ec2Extension.factory) from the keystone API pipeline in keystone.conf. '

reference: http://lists.openstack.org/pipermail/openstack-announce/2013-February/000079.html

affected-products:

  - product: keystone
    version: All versions

vulnerabilities:

  - cve-id: CVE-2013-0282
    impact-assessment:
      source: 'Red Hat Product Security'
      rating: moderate
      assessment:
        type: CVSS2
        score: 4.0
        detail: AV:N/AC:L/Au:S/C:N/I:P/A:N
    classification:
      source: 'Red Hat Product Security'
      type: CWE
      detail: TODO

reporters:

  - name: 'Nathanael Burton'
    affiliation: 'National Security Agency'
    reported:
      - CVE-2013-0282

issues:

  links:
    - https://launchpad.net/bugs/1121494

  type: launchpad

reviews:

  grizzly:
    - https://review.openstack.org/#/c/22319

  folsom:
    - https://review.openstack.org/#/c/22320

  essex:
    - https://review.openstack.org/#/c/22321

  type: gerrit