Mailing List Archive: [OSSA-2021-003] Keystone: Account name and UUID oracles in account locking (CVE-2021-38155)

===============================================================
OSSA-2021-003: Account name and UUID oracles in account locking
===============================================================

:Date: August 10, 2021
:CVE: CVE-2021-38155

Affects
~~~~~~~
- Keystone: >=10.0.0 <16.0.2, >=17.0.0 <17.0.1, >=18.0.0 <18.0.1, >=19.0.0 <19.0.1

Description
~~~~~~~~~~~
Samuel de Medeiros Queiroz with Oi Cloud reported a vulnerability
affecting Keystone account locking. By guessing the name of an
account and failing to authenticate multiple times, any
unauthenticated actor could both confirm the account exists and
obtain that account's corresponding UUID, which might be leveraged
for other unrelated attacks. All Keystone deployments enabling
security_compliance.lockout_failure_attempts are affected.

Patches
~~~~~~~
- https://review.opendev.org/790444 (Train)
- https://review.opendev.org/790443 (Ussuri)
- https://review.opendev.org/790442 (Victoria)
- https://review.opendev.org/790440 (Wallaby)
- https://review.opendev.org/759940 (Xena)

Credits
~~~~~~~
- Samuel de Medeiros Queiroz from Oi Cloud (CVE-2021-38155)

References
~~~~~~~~~~
- https://launchpad.net/bugs/1688137
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38155

--
Jeremy Stanley

Mailing List Archive

Mailing List Archive

Attached Files: