Issued:: 2020-07-22
Updated:: 2020-07-22

RHSA-2020:3102 - Security Advisory

Overview
Updated Packages

Synopsis

Important: openstack-keystone security update

Type/Severity

Security Advisory: Important

Red Hat Lightspeed patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for openstack-keystone is now available for Red Hat OpenStack
Platform 15 (Stein).

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

Description

The OpenStack Identity service (keystone) authenticates and authorizes
OpenStack users by keeping track of users and their permitted activities.
The Identity service supports multiple forms of authentication, including
user name and password credentials, token-based systems, and AWS-style
logins.

Security Fix(es):

EC2 and credential endpoints are not protected from a scoped context

(CVE-2020-12689)

OAuth1 request token authorize silently ignores roles parameter

(CVE-2020-12690)

Credentials endpoint policy logic allows changing credential owner and

target project ID (CVE-2020-12691)

failure to check signature TTL of the EC2 credential auth method

(CVE-2020-12692)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page listed in the References section.

Solution

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

Red Hat OpenStack for IBM Power 15 ppc64le
Red Hat OpenStack 15 x86_64

Fixes

BZ - 1830384 - CVE-2020-12691 openstack-keystone: Credentials endpoint policy logic allows changing credential owner and target project ID
BZ - 1830395 - CVE-2020-12690 openstack-keystone: OAuth1 request token authorize silently ignores roles parameter
BZ - 1830396 - CVE-2020-12689 openstack-keystone: EC2 and credential endpoints are not protected from a scoped context
BZ - 1833164 - CVE-2020-12692 openstack-keystone: failure to check signature TTL of the EC2 credential auth method

CVEs

References

https://access.redhat.com/security/updates/classification/#important

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat OpenStack for IBM Power 15

SRPM
openstack-keystone-15.0.1-0.20200512110437.95b2bbe.el8ost.src.rpm	SHA-256: f5a7c2f2fc0b4c89c252753a9b95a82956516026de27f9c4841850968c9272de
ppc64le
openstack-keystone-15.0.1-0.20200512110437.95b2bbe.el8ost.noarch.rpm	SHA-256: e732b5945813d0871923c37db310b168635e981fb664fddddda8fa1490790782
python3-keystone-15.0.1-0.20200512110437.95b2bbe.el8ost.noarch.rpm	SHA-256: 2c71534b96e12c8727067fcd6c98b116325b4a50ff50ffc7bf64ad0ada9e6fa3

Red Hat OpenStack 15

SRPM
openstack-keystone-15.0.1-0.20200512110437.95b2bbe.el8ost.src.rpm	SHA-256: f5a7c2f2fc0b4c89c252753a9b95a82956516026de27f9c4841850968c9272de
x86_64
openstack-keystone-15.0.1-0.20200512110437.95b2bbe.el8ost.noarch.rpm	SHA-256: e732b5945813d0871923c37db310b168635e981fb664fddddda8fa1490790782
python3-keystone-15.0.1-0.20200512110437.95b2bbe.el8ost.noarch.rpm	SHA-256: 2c71534b96e12c8727067fcd6c98b116325b4a50ff50ffc7bf64ad0ada9e6fa3

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation