OpenStack Security Advisory: 2013-015
CVE: CVE-2013-2157
Date: June 13, 2013
Title: Authentication bypass when using LDAP backend
Reporter: Jose Castro Leon (CERN)
Products: Keystone
Affects: Folsom, Grizzly
Description:
Jose Castro Leon from CERN reported a vulnerability in the way the
Keystone LDAP backend authenticates users. When provided with an empty
password, the backend would perform an anonymous LDAP bind that would
result in successfully authenticating the user. An attacker could
therefore easily impersonate and get valid tokens for any user. Only
Keystone setups using LDAP authentication backend are affected.
Havana (development branch) fix:
https://review.openstack.org/#/c/32896/
Grizzly fix:
https://review.openstack.org/#/c/32895/
Folsom fix:
https://review.openstack.org/#/c/32894/
References:
https://bugs.launchpad.net/keystone/+bug/1187305
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2157
- --
Thierry Carrez (ttx)
OpenStack Vulnerability Management Team
↧
[OSSA 2013-015] Authentication bypass when using LDAP backend (CVE-2013-2157)
↧