OpenStack Keystone EC2 api安全绕过漏洞
 |
Adela_09
2013-02-25
发布日期:2013-02-10
更新日期:2013-02-23 受影响系统: openstack Keystone 2012.x 描述: -------------------------------------------------------------------------------- BUGTRAQ ID: 58033 CVE(CAN) ID: CVE-2013-0282 OpenStack Keystone为OpenStack系列计划提供身份、令牌、目录和策略服务的项目。 Keystone的EC2式身份验证中存在安全漏洞,在验证使用EC2 api的用户之前,无法检查用户、租户、域是否已经启用。经过验证的禁用用户会因此保留应该移除的访问权限。仅启用了EC2式验证的设置受到影响。要禁用EC2验证,可在keystone.conf的keystone API pipeline中删除EC2扩展(keystone.contrib.ec2:Ec2Extension.factory)。 <*来源:Nathanael Burton 链接:http://secunia.com/advisories/52186/ http://lists.openstack.org/pipermail/openstack-announce/2013-February/000079.html *> 建议: -------------------------------------------------------------------------------- 厂商补丁: openstack --------- openstack已经为此发布了一个安全公告(2013-005)以及相应补丁: 2013-005:[openstack-announce] [OSSA 2013-005] Keystone EC2-style authentication accepts disabled user/tenants (CVE-2013-0282) 链接:http://lists.openstack.org/pipermail/openstack-announce/2013-February/000079.html 补丁下载: Grizzly (development branch) fix: https://review.openstack.org/#/c/22319/ Folsom fix: https://review.openstack.org/#/c/22320/ Essex fix: https://review.openstack.org/#/c/22321/ 参考: https://bugs.launchpad.net/keystone/+bug/1121494 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0282 |
