Bug#992331: buster-pu: package keystone/18.0.0-3+deb11u1 (CVE-2021-38155)
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
This update addresses CVE-2021-38155 adding upstream patch,
and also tweaks keystone-uwsgi.ini for performances.
[ Impact ]
Anyone having the lockout_failure_attempts feature enabled
can be attacked to discover project IDs.
[ Tests ]
Upstream has a functional test suite, and unit testing.
The package runs unit tests at build time. The unit tests
include testing of the modified feature (ie: it tests
now that Keystone replies with "unauthorized" instead of
"locked").
[ Risks ]
This is a minor change in the way Keystone replies to
unauthorized requests. There's no other change involved.
I believe that's very safe.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
On top of the patch, the changes include a tweak in
the uwsgi configuration file. It really makes a huge
difference in performances, and IMO, that's very important
especially for Keystone which is usually a very busy
componant of any OpenStack deployment, so I very much
would like this to be accepted too.
Please allow me to upload keystone/18.0.0-3+deb11u1.
Cheers,
Thomas Goirand (zigo)
diff -Nru keystone-18.0.0/debian/changelog keystone-18.0.0/debian/changelog
--- keystone-18.0.0/debian/changelog 2020-11-21 23:09:55.000000000 +0100
+++ keystone-18.0.0/debian/changelog 2021-03-17 12:06:20.000000000 +0100
@@ -1,3 +1,12 @@
+keystone (2:18.0.0-3+deb11u1) bullseye; urgency=medium
+
+ * Tune keystone-uwsgi.ini for performance.
+ * CVE-2021-38155 / OSSA-2021-003: Account name and UUID oracles in account
+ locking. Applied upstream patch: Hide AccountLocked exception from end
+ users (Closes: #992070).
+
+ -- Thomas Goirand <zigo@debian.org> Wed, 17 Mar 2021 12:06:20 +0100
+
keystone (2:18.0.0-3) unstable; urgency=medium
* Removed python3-crypto from (build-)depends (Closes: #971310).
diff -Nru keystone-18.0.0/debian/keystone-uwsgi.ini keystone-18.0.0/debian/keystone-uwsgi.ini
--- keystone-18.0.0/debian/keystone-uwsgi.ini 2020-11-21 23:09:55.000000000 +0100
+++ keystone-18.0.0/debian/keystone-uwsgi.ini 2021-03-17 12:06:20.000000000 +0100
@@ -12,16 +12,14 @@
# This is running standalone
master = true
-# Threads and processes
-enable-threads = true
-
-processes = 4
-
# uwsgi recommends this to prevent thundering herd on accept.
thunder-lock = true
+# Default plugins to load
plugins = python3,apparmor
+# We do have a keystone apparmor profile in this package,
+# so let's use it.
apparmor-profile = keystone
# This ensures that file descriptors aren't shared between the WSGI application processes.
@@ -36,10 +34,26 @@
# exit instead of brutal reload on SIGTERM
die-on-term = true
+##########################
+### Performance tuning ###
+##########################
+# Threads and processes
+enable-threads = true
+
+# For max perf, set this to number of core*2
+processes = 8
+
+# This was benchmarked as a good value
+threads = 32
+
+# This is the number of sockets in the queue.
+# It improves a lot performances. This is comparable
+# to the Apache ServerLimit/MaxClients option.
+listen = 100
+
##################################
### OpenStack service specific ###
##################################
-
# This is the standard port for the WSGI application, listening on all available IPs
logto = /var/log/keystone/keystone.log
name = keystone-api
diff -Nru keystone-18.0.0/debian/patches/CVE-2021-38155_Hide_AccountLocked_exception_from_end_users.patch keystone-18.0.0/debian/patches/CVE-2021-38155_Hide_AccountLocked_exception_from_end_users.patch
--- keystone-18.0.0/debian/patches/CVE-2021-38155_Hide_AccountLocked_exception_from_end_users.patch 1970-01-01 01:00:00.000000000 +0100
+++ keystone-18.0.0/debian/patches/CVE-2021-38155_Hide_AccountLocked_exception_from_end_users.patch 2021-03-17 12:06:20.000000000 +0100
@@ -0,0 +1,106 @@
+Description:: CVE-2021-38155 Hide AccountLocked exception from end users
+ This change hides the AccountLocked exception from being returned
+ to the end user to hide sensitive information that a potential
+ malicious person could gain insight from.
+ .
+ The notification handler catches the AccountLocked exception as
+ before, but after sending the audit notification, it instead
+ bubbles up Unauthorized rather than AccountLocked.
+Author: Gage Hugo <gagehugo@gmail.com>
+Date: Tue, 27 Oct 2020 15:22:04 -0500
+Co-Authored-By: Samuel de Medeiros Queiroz <samueldmq@gmail.com>
+Change-Id: Id51241989b22c52810391f3e8e1cadbf8613d873
+Bug-Ubuntu: https://bugs.launchpad.net/keystone/+bug/1688137
+Bug-Debian: https://bugs.debian.org/992070
+Origin: upstream, https://review.opendev.org/c/openstack/keystone/+/790442/
+Last-Update: 2021-08-14
+
+diff --git a/keystone/notifications.py b/keystone/notifications.py
+index e536ebd..a59b1d0 100644
+--- a/keystone/notifications.py
++++ b/keystone/notifications.py
+@@ -580,6 +580,8 @@
+ taxonomy.OUTCOME_FAILURE,
+ target, self.event_type,
+ reason=audit_reason)
++ if isinstance(ex, exception.AccountLocked):
++ raise exception.Unauthorized
+ raise
+ except Exception:
+ # For authentication failure send a CADF event as well
+diff --git a/keystone/tests/unit/common/test_notifications.py b/keystone/tests/unit/common/test_notifications.py
+index b0fb720..308cc01 100644
+--- a/keystone/tests/unit/common/test_notifications.py
++++ b/keystone/tests/unit/common/test_notifications.py
+@@ -802,7 +802,7 @@
+ password = uuid.uuid4().hex
+ new_password = uuid.uuid4().hex
+ expected_responses = [AssertionError, AssertionError, AssertionError,
+- exception.AccountLocked]
++ exception.Unauthorized]
+ user_ref = unit.new_user_ref(domain_id=self.domain_id,
+ password=password)
+ user_ref = PROVIDERS.identity_api.create_user(user_ref)
+diff --git a/keystone/tests/unit/identity/test_backend_sql.py b/keystone/tests/unit/identity/test_backend_sql.py
+index 8c7fb31..0a99002 100644
+--- a/keystone/tests/unit/identity/test_backend_sql.py
++++ b/keystone/tests/unit/identity/test_backend_sql.py
+@@ -613,7 +613,7 @@
+ )
+ # test locking out user after max failed attempts
+ self._fail_auth_repeatedly(self.user['id'])
+- self.assertRaises(exception.AccountLocked,
++ self.assertRaises(exception.Unauthorized,
+ PROVIDERS.identity_api.authenticate,
+ user_id=self.user['id'],
+ password=uuid.uuid4().hex)
+@@ -642,7 +642,7 @@
+ with self.make_request():
+ # lockout user
+ self._fail_auth_repeatedly(self.user['id'])
+- self.assertRaises(exception.AccountLocked,
++ self.assertRaises(exception.Unauthorized,
+ PROVIDERS.identity_api.authenticate,
+ user_id=self.user['id'],
+ password=uuid.uuid4().hex)
+@@ -661,7 +661,7 @@
+ with self.make_request():
+ # lockout user
+ self._fail_auth_repeatedly(self.user['id'])
+- self.assertRaises(exception.AccountLocked,
++ self.assertRaises(exception.Unauthorized,
+ PROVIDERS.identity_api.authenticate,
+ user_id=self.user['id'],
+ password=uuid.uuid4().hex)
+@@ -687,7 +687,7 @@
+ with self.make_request():
+ # lockout user
+ self._fail_auth_repeatedly(self.user['id'])
+- self.assertRaises(exception.AccountLocked,
++ self.assertRaises(exception.Unauthorized,
+ PROVIDERS.identity_api.authenticate,
+ user_id=self.user['id'],
+ password=uuid.uuid4().hex)
+@@ -697,7 +697,7 @@
+ # repeat failed auth the max times
+ self._fail_auth_repeatedly(self.user['id'])
+ # test user account is locked
+- self.assertRaises(exception.AccountLocked,
++ self.assertRaises(exception.Unauthorized,
+ PROVIDERS.identity_api.authenticate,
+ user_id=self.user['id'],
+ password=uuid.uuid4().hex)
+diff --git a/releasenotes/notes/bug-1688137-e4203c9a728690a7.yaml b/releasenotes/notes/bug-1688137-e4203c9a728690a7.yaml
+new file mode 100644
+index 0000000..bd7a060
+--- /dev/null
++++ b/releasenotes/notes/bug-1688137-e4203c9a728690a7.yaml
+@@ -0,0 +1,8 @@
++---
++fixes:
++ - |
++ [`bug 1688137 <https://bugs.launchpad.net/keystone/+bug/1688137>`_]
++ Fixed the AccountLocked exception being shown to the end user since
++ it provides some information that could be exploited by a
++ malicious user. The end user will now see Unauthorized instead of
++ AccountLocked, preventing user info oracle exploitation.
diff -Nru keystone-18.0.0/debian/patches/series keystone-18.0.0/debian/patches/series
--- keystone-18.0.0/debian/patches/series 2020-11-21 23:09:55.000000000 +0100
+++ keystone-18.0.0/debian/patches/series 2021-03-17 12:06:20.000000000 +0100
@@ -1,3 +1,4 @@
fixes-keystone-default-catalog.patch
#fixes-default-connection.patch
install-missing-files.patch
+CVE-2021-38155_Hide_AccountLocked_exception_from_end_users.patch
Reply to: