Security Bulletin
Summary
Vulnerability in Keystone affects IBM SmartCloud Orchestrator (CVE-2014-3476).
Vulnerability Details
By creating a delegation from a trust or OAuth token, a trustee might abuse the identity impersonation against keystone and circumvent the enforced scope, which results in potential elevated privileges to any of the trustor's projects and or roles. All Keystone deployments configured to enable trusts are affected, which has been the default since Grizzly.
CVE-ID: CVE-2014-3476
DESCRIPTION: OpenStack Keystone might allow a remote authenticated attacker to gain elevated privileges on the system, which is caused by an error when handling a project ID. An attacker with the appropriate roles might exploit this vulnerability to gain elevated privileges on the system.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/93791 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Affected Products and Versions
IBM SmartCloud Orchestrator V2.3 and IBM SmartCloud Orchestrator V2.3.0 Fix Pack 1 up to Interim Fix 4
Remediation/Fixes
The recommended solution is to apply the fix as soon as practical. Upgrade to IBM SmartCloud Orchestrator V2.3.0 Fix Pack 1 Interim Fix 5.
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
Change History
First version published November 20, 2014
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
17 June 2018
UID
swg21690278