Red Hat Product Errata RHSA-2017:1461 - Security Advisory

Issued:: 2017-06-14
Updated:: 2017-06-14

RHSA-2017:1461 - Security Advisory

Overview
Updated Packages

Synopsis

Moderate: openstack-keystone security, bug fix, and enhancement update

Type/Severity

Security Advisory: Moderate

Topic

An update for openstack-keystone is now available for Red Hat OpenStack Platform 9.0 (Mitaka).

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The OpenStack Identity service (keystone) authenticates and authorizes OpenStack users by keeping track of users and their permitted activities. The Identity service supports multiple forms of authentication, including user name and password credentials, token-based systems, and AWS-style logins.

The following packages have been upgraded to a later upstream version: openstack-keystone (9.3.0). (BZ#1427684)

Security Fix(es):

An authorization-check flaw was discovered in federation configurations of the OpenStack Identity service (keystone). An authenticated federated user could request permissions to a project and unintentionally be granted all related roles including administrative roles. (CVE-2017-2673)

Red Hat would like to thank the Openstack project for reporting this issue. Upstream acknowledges Boris Bobrov (Mail.Ru) as the original reporter.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

Red Hat OpenStack 9 x86_64

Fixes

BZ - 1427684 - Rebase openstack-keystone to 9.3.0
BZ - 1430228 - [BackPort] Handle catalog backends that don't support all functions.
BZ - 1439586 - CVE-2017-2673 openstack-keystone: Incorrect role assignment with federated Keystone

CVEs

CVE-2017-2673

References

https://access.redhat.com/security/updates/classification/#moderate

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat OpenStack 9

SRPM
openstack-keystone-9.3.0-2.el7ost.src.rpm	SHA-256: 690c8f64842c5ec53e9e2c08bc8ccbf38a23ff992ef0c8590fbefb42db061d45
x86_64
openstack-keystone-9.3.0-2.el7ost.noarch.rpm	SHA-256: a357772355759ee6e9d822f642adeb3b6f7ac678972984608be7bd6c94ae18f4
python-keystone-9.3.0-2.el7ost.noarch.rpm	SHA-256: 716452ffaa9d1b17ba5e3943dd804d56e9a2c9d407385e176a7ccbc9fc86b7f0
python-keystone-tests-9.3.0-2.el7ost.noarch.rpm	SHA-256: 23bc80ac6af9d88ece7886199bdc92f178ad4456762a6a5d72c97360326b79d4

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Insights

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories