[OSSA-2021-003] Keystone: Account name and UUID oracles in account locking (CVE-2021-38155)

[Jeremy Stanley <fungi () yuggoth org>]

===============================================================
OSSA-2021-003: Account name and UUID oracles in account locking
===============================================================

:Date: August 10, 2021
:CVE: CVE-2021-38155


Affects
~~~~~~~
- Keystone: >=10.0.0 <16.0.2, >=17.0.0 <17.0.1, >=18.0.0 <18.0.1, >=19.0.0 <19.0.1


Description
~~~~~~~~~~~
Samuel de Medeiros Queiroz with Oi Cloud reported a vulnerability
affecting Keystone account locking. By guessing the name of an
account and failing to authenticate multiple times, any
unauthenticated actor could both confirm the account exists and
obtain that account's corresponding UUID, which might be leveraged
for other unrelated attacks. All Keystone deployments enabling
security_compliance.lockout_failure_attempts are affected.


Patches
~~~~~~~
- https://review.opendev.org/790444 (Train)
- https://review.opendev.org/790443 (Ussuri)
- https://review.opendev.org/790442 (Victoria)
- https://review.opendev.org/790440 (Wallaby)
- https://review.opendev.org/759940 (Xena)


Credits
~~~~~~~
- Samuel de Medeiros Queiroz from Oi Cloud (CVE-2021-38155)


References
~~~~~~~~~~
- https://launchpad.net/bugs/1688137
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38155

-- 
Jeremy Stanley

Attachment: signature.asc
Description: