(RHSA-2017:3227) Moderate: openstack-aodh security update

ID RHSA-2017:3227
Type redhat
Reporter RedHat
Modified 2017-11-15T18:11:57


openstack-aodh provides the ability to trigger actions based on defined rules against metric or event data collected by OpenStack Telemetry (ceilometer) or Time-Series-Database-as-a-Service (gnocchi).

Security Fix(es):

  • A verification flaw was found in openstack-aodh. As part of an HTTP alarm action, a user could pass in a trust ID. However, the trust could be from anyone because it was not verified. Because the trust was then used by openstack-aodh to obtain a keystone token for the alarm action, a malicious user could pass in another person's trust ID and obtain a keystone token containing the delegated authority of that user. (CVE-2017-12440)

This issue was discovered by Luke Hinds (Red Hat). Upstream acknowledges Zane Bitter (Red Hat) as the original reporter.