StarlingX

[Debian] High CVE: CVE-2021-38155: keystone: nformation disclosure during account locking

Bug #2021546 reported by Yue Tao on 2023-05-30

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	StarlingX	Fix Released	High	Zhixiong Chi

Bug Description

CVE-2021-38155: https://nvd.nist.gov/vuln/detail/CVE-2021-38155

OpenStack Keystone 10.x through 16.x before 16.0.2, 17.x before 17.0.1, 18.x before 18.0.1, and 19.x before 19.0.1 allows information disclosure during account locking (related to PCI DSS features). By guessing the name of an account and failing to authenticate multiple times, any unauthenticated actor could both confirm the account exists and obtain that account's corresponding UUID, which might be leveraged for other unrelated attacks. All deployments enabling security_compliance.lockout_failure_attempts are affected.

Base Score: High

References:

https://security-tracker.debian.org/tracker/CVE-2021-38155

keystone_2:18.0.0-3+deb11u1

keystone is a source package in upstream repository

Tags:

CVE References

2021-38155

Yue Tao (wrytao) on 2023-05-30

tags:

added: stx.9.0 stx.security

Zhixiong Chi (zhixiongchi) on 2023-06-13

Changed in starlingx:
assignee:	nobody → Zhixiong Chi (zhixiongchi)
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-06-15: Fix proposed to upstream (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/upstream/+/886187

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-06-20: Fix merged to upstream (master)

Reviewed: https://review.opendev.org/c/starlingx/upstream/+/886187
Committed: https://opendev.org/starlingx/upstream/commit/c59b61be254660f76ca3f8d9801c1f9d64158112
Submitter: "Zuul (22348)"
Branch: master

commit c59b61be254660f76ca3f8d9801c1f9d64158112
Author: Zhixiong Chi <email address hidden>
Date: Tue Jun 13 13:00:45 2023 +0800

keystone: Upgrade to 18.0.0-3+deb11u1

Fix CVE-2021-38155

Refer to:
https://security-tracker.debian.org/tracker/CVE-2021-38155

    TestPlan:
    PASS: build-pkgs -a
    PASS: build-image
    PASS: Jenkins Installation.
    PASS: Check the package version with 'dpkg -l'

Closes-Bug: 2021546

Change-Id: Ifb54a95842c4080a8ab0f1c03df70dd4bd1f194b
Signed-off-by: Zhixiong Chi <email address hidden>

Changed in starlingx:
status:	In Progress → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.