Ubuntu Security Notice 4480-1 - It was discovered that OpenStack Keystone incorrectly handled EC2 credentials. An authenticated attacker with a limited scope could possibly create EC2 credentials with escalated permissions. It was discovered that OpenStack Keystone incorrectly handled the list of roles provided with OAuth1 access tokens. An authenticated user could possibly end up with more role assignments than intended. Various other issues were also addressed.
3c08db6e10cf95d2fc1612319b52e834023d3ffc4661cd1510fa0ef8a2b277f3
==========================================================================
Ubuntu Security Notice USN-4480-1
September 01, 2020
keystone vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in OpenStack Keystone.
Software Description:
- keystone: OpenStack identity service
Details:
It was discovered that OpenStack Keystone incorrectly handled EC2
credentials. An authenticated attacker with a limited scope could possibly
create EC2 credentials with escalated permissions. (CVE-2020-12689,
CVE-2020-12691)
It was discovered that OpenStack Keystone incorrectly handled the list of
roles provided with OAuth1 access tokens. An authenticated user could
possibly end up with more role assignments than intended. (CVE-2020-12690)
It was discovered that OpenStack Keystone incorrectly handled EC2 signature
TTL checks. A remote attacker could possibly use this issue to reuse
Authorization headers. (CVE-2020-12692)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.04 LTS:
keystone 2:13.0.4-0ubuntu1
python-keystone 2:13.0.4-0ubuntu1
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/4480-1
CVE-2020-12689, CVE-2020-12690, CVE-2020-12691, CVE-2020-12692
Package Information:
https://launchpad.net/ubuntu/+source/keystone/2:13.0.4-0ubuntu1