Ubuntu Update For Keystone USN-2324-1 Network Vulnerability

Solution

Please Install the Updated Packages.

Insight

Steven Hardy discovered that OpenStack Keystone did not properly handle chained delegation. A remove authenticated attacker could use this to gain privileges by creating a new token with additional roles. (CVE-2014-3476) Jamie Lennox discovered that OpenStack Keystone did not properly validate the project id. A remote authenticated attacker may be able to use this to access other projects. (CVE-2014-3520) Brant Knudson and Lance Bragstad discovered that OpenStack Keystone would not always revoke tokens correctly. If Keystone were configured to use revocation events, a remote authenticated attacker could continue to have access to resources. (CVE-2014-5251, CVE-2014-5252, CVE-2014-5253)

Affected

keystone on Ubuntu 14.04 LTS

References

https://lists.ubuntu.com/archives/ubuntu-security-announce/2014-August/002634.html

Updated on 2015-03-25

Severity

Classification

CVE CVE-2014-3476, CVE-2014-3520, CVE-2014-5251, CVE-2014-5252, CVE-2014-5253
CVSS Base Score: 6.0
AV:N/AC:M/Au:S/C:P/I:P/A:P

Related Vulnerabilities

Ubuntu Update for keystone USN-2324-1

Take action and discover your vulnerabilities