Test ID:	1.3.6.1.4.1.25623.1.0.841130
Category:	Ubuntu Local Security Checks
Title:	Ubuntu: Security Advisory (USN-1552-1)
Summary:	The remote host is missing an update for the 'keystone' package(s) announced via the USN-1552-1 advisory.
Description:	Summary: The remote host is missing an update for the 'keystone' package(s) announced via the USN-1552-1 advisory. Vulnerability Insight: Dolph Mathews discovered that OpenStack Keystone did not properly restrict to administrative users the ability to update users' tenants. A remote attacker that can reach the administrative API can use this to add any user to any tenant. (CVE-2012-3542) Derek Higgins discovered that OpenStack Keystone did not properly implement token expiration. A remote attacker could use this to continue to access an account that has been disabled or has a changed password. (CVE-2012-3426) Affected Software/OS: 'keystone' package(s) on Ubuntu 12.04. Solution: Please install the updated package(s). CVSS Score: 4.9 CVSS Vector: AV:N/AC:M/Au:S/C:P/I:P/A:N
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2012-3426 50045 http://secunia.com/advisories/50045 50494 http://secunia.com/advisories/50494 USN-1552-1 http://www.ubuntu.com/usn/USN-1552-1 [oss-security] 20120727 [OSSA 2012-010] Various Keystone token expiration issues (CVE-2012-3426) http://www.openwall.com/lists/oss-security/2012/07/27/4 http://github.com/openstack/keystone/commit/29e74e73a6e51cffc0371b32354558391826a4aa http://github.com/openstack/keystone/commit/375838cfceb88cacc312ff6564e64eb18ee6a355 http://github.com/openstack/keystone/commit/628149b3dc6b58b91fd08e6ca8d91c728ccb8626 http://github.com/openstack/keystone/commit/a67b24878a6156eab17b9098fa649f0279256f5d http://github.com/openstack/keystone/commit/d9600434da14976463a0bd03abd8e0309f0db454 http://github.com/openstack/keystone/commit/ea03d05ed5de0c015042876100d37a6a14bf56de https://bugs.launchpad.net/keystone/+bug/996595 https://bugs.launchpad.net/keystone/+bug/997194 https://bugs.launchpad.net/keystone/+bug/998185 https://launchpad.net/keystone/essex/2012.1.1/+download/keystone-2012.1.1.tar.gz Common Vulnerability Exposure (CVE) ID: CVE-2012-3542 50467 http://secunia.com/advisories/50467 55326 http://www.securityfocus.com/bid/55326 [openstack] 20120830 [OSSA 2012-013] Keystone, Lack of authorization for adding users to tenants (CVE-2012-3542) https://lists.launchpad.net/openstack/msg16282.html [oss-security] 20120830 [OSSA 2012-013] Keystone, Lack of authorization for adding users to tenants (CVE-2012-3542) http://www.openwall.com/lists/oss-security/2012/08/30/6 https://bugs.launchpad.net/keystone/+bug/1040626 https://github.com/openstack/keystone/commit/5438d3b5a219d7c8fa67e66e538d325a61617155 https://github.com/openstack/keystone/commit/c13d0ba606f7b2bdc609a7f388334e5efec3f3aa
Copyright	Copyright (C) 2012 Greenbone AG

This is only one of 146377 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.