Title: Issues in Keystone middleware memcache signing/encryption feature
Reporter: Paul McMillan (Nebula)
Products: python-keystoneclient
Affects: Grizzly
Description:
Paul McMillan from Nebula reported multiple issues in the implementation of memcache signing/encryption feature in Keystone client middleware. An attacker with direct write access to the memcache backend (or in a man-in-the-middle position) could insert malicious data and potentially bypass the signing/encryption security strategy that was specified. Only setups that make use of memcache caching in the Keystone middleware (specify memcache_servers) and using ENCRYPT or MAC as their memcache_security_strategy are affected.
Updated impact description:
Title: Issues in Keystone middleware memcache signing/encryption feature keystoneclient
Reporter: Paul McMillan (Nebula)
Products: python-
Affects: Grizzly
Description: security_ strategy are affected.
Paul McMillan from Nebula reported multiple issues in the implementation of memcache signing/encryption feature in Keystone client middleware. An attacker with direct write access to the memcache backend (or in a man-in-the-middle position) could insert malicious data and potentially bypass the signing/encryption security strategy that was specified. Only setups that make use of memcache caching in the Keystone middleware (specify memcache_servers) and using ENCRYPT or MAC as their memcache_