CVE-2012-5571 : EC2-style credentials invalidation issue

OpenStack Security Advisory: 2012-018

CVE: CVE-2012-5571
Date: November 28, 2012
Title: EC2-style credentials invalidation issue
Reporter: Vijaya Erukala
Products: Keystone
Affects: All versions


Vijaya Erukala reported a vulnerability in Keystone EC2-style
credentials invalidation: when a user is removed from a tenant, issued
EC2-style credentials would continue to be valid for that tenant. An
authenticated and authorized user could potentially leverage this
vulnerability to extend his access beyond the account owner
expectations. Only setups enabling EC2-style credentials (for example
enabling EC2 API in Nova) are affected.

Grizzly (development branch) fix:

Folsom fix (included in upcoming Keystone 2012.2.1 stable update):

Essex fix:


Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>