Description:
Nathanael Burton reported a vulnerability in EC2-style authentication in Keystone. Keystone fails to check whether a user, tenant, or domain is enabled before authenticating a user using the EC2 api. Authenticated, but disabled users (or authenticated users in disabled tenants or domains) could therefore retain access rights that were thought removed. Only setups enabling EC2-style authentication are affected. To disable EC2-style authentication to work around the issue, remove the EC2 extension (keystone.contrib.ec2:Ec2Extension.factory) from the keystone API pipeline in keystone.conf.
-----------------------------------------
Proposed release date: Tuesday, February 19 at 1500 UTC
Updated description, changing the way we refer to the EC2 extension:
------- ------- ------- ------- ------- ---
Title: Keystone EC2-style authentication accepts disabled user/tenants
Reporter: Nathanael Burton (National Security Agency)
Products: Keystone
Affects: All versions
Description: contrib. ec2:Ec2Extensio n.factory) from the keystone API pipeline in keystone.conf.
Nathanael Burton reported a vulnerability in EC2-style authentication in Keystone. Keystone fails to check whether a user, tenant, or domain is enabled before authenticating a user using the EC2 api. Authenticated, but disabled users (or authenticated users in disabled tenants or domains) could therefore retain access rights that were thought removed. Only setups enabling EC2-style authentication are affected. To disable EC2-style authentication to work around the issue, remove the EC2 extension (keystone.
------- ------- ------- ------- ------- ------
Proposed release date: Tuesday, February 19 at 1500 UTC