Package: release.debian.org Severity: normal Tags: buster User: [email protected] Usertags: pu
[ Reason ] This update addresses CVE-2021-38155 adding upstream patch, and also tweaks keystone-uwsgi.ini for performances. [ Impact ] Anyone having the lockout_failure_attempts feature enabled can be attacked to discover project IDs. [ Tests ] Upstream has a functional test suite, and unit testing. The package runs unit tests at build time. The unit tests include testing of the modified feature (ie: it tests now that Keystone replies with "unauthorized" instead of "locked"). [ Risks ] This is a minor change in the way Keystone replies to unauthorized requests. There's no other change involved. I believe that's very safe. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] On top of the patch, the changes include a tweak in the uwsgi configuration file. It really makes a huge difference in performances, and IMO, that's very important especially for Keystone which is usually a very busy componant of any OpenStack deployment, so I very much would like this to be accepted too. Please allow me to upload keystone/18.0.0-3+deb11u1. Cheers, Thomas Goirand (zigo)
diff -Nru keystone-18.0.0/debian/changelog keystone-18.0.0/debian/changelog --- keystone-18.0.0/debian/changelog 2020-11-21 23:09:55.000000000 +0100 +++ keystone-18.0.0/debian/changelog 2021-03-17 12:06:20.000000000 +0100 @@ -1,3 +1,12 @@ +keystone (2:18.0.0-3+deb11u1) bullseye; urgency=medium + + * Tune keystone-uwsgi.ini for performance. + * CVE-2021-38155 / OSSA-2021-003: Account name and UUID oracles in account + locking. Applied upstream patch: Hide AccountLocked exception from end + users (Closes: #992070). + + -- Thomas Goirand <[email protected]> Wed, 17 Mar 2021 12:06:20 +0100 + keystone (2:18.0.0-3) unstable; urgency=medium * Removed python3-crypto from (build-)depends (Closes: #971310). diff -Nru keystone-18.0.0/debian/keystone-uwsgi.ini keystone-18.0.0/debian/keystone-uwsgi.ini --- keystone-18.0.0/debian/keystone-uwsgi.ini 2020-11-21 23:09:55.000000000 +0100 +++ keystone-18.0.0/debian/keystone-uwsgi.ini 2021-03-17 12:06:20.000000000 +0100 @@ -12,16 +12,14 @@ # This is running standalone master = true -# Threads and processes -enable-threads = true - -processes = 4 - # uwsgi recommends this to prevent thundering herd on accept. thunder-lock = true +# Default plugins to load plugins = python3,apparmor +# We do have a keystone apparmor profile in this package, +# so let's use it. apparmor-profile = keystone # This ensures that file descriptors aren't shared between the WSGI application processes. @@ -36,10 +34,26 @@ # exit instead of brutal reload on SIGTERM die-on-term = true +########################## +### Performance tuning ### +########################## +# Threads and processes +enable-threads = true + +# For max perf, set this to number of core*2 +processes = 8 + +# This was benchmarked as a good value +threads = 32 + +# This is the number of sockets in the queue. +# It improves a lot performances. This is comparable +# to the Apache ServerLimit/MaxClients option. +listen = 100 + ################################## ### OpenStack service specific ### ################################## - # This is the standard port for the WSGI application, listening on all available IPs logto = /var/log/keystone/keystone.log name = keystone-api diff -Nru keystone-18.0.0/debian/patches/CVE-2021-38155_Hide_AccountLocked_exception_from_end_users.patch keystone-18.0.0/debian/patches/CVE-2021-38155_Hide_AccountLocked_exception_from_end_users.patch --- keystone-18.0.0/debian/patches/CVE-2021-38155_Hide_AccountLocked_exception_from_end_users.patch 1970-01-01 01:00:00.000000000 +0100 +++ keystone-18.0.0/debian/patches/CVE-2021-38155_Hide_AccountLocked_exception_from_end_users.patch 2021-03-17 12:06:20.000000000 +0100 @@ -0,0 +1,106 @@ +Description:: CVE-2021-38155 Hide AccountLocked exception from end users + This change hides the AccountLocked exception from being returned + to the end user to hide sensitive information that a potential + malicious person could gain insight from. + . + The notification handler catches the AccountLocked exception as + before, but after sending the audit notification, it instead + bubbles up Unauthorized rather than AccountLocked. +Author: Gage Hugo <[email protected]> +Date: Tue, 27 Oct 2020 15:22:04 -0500 +Co-Authored-By: Samuel de Medeiros Queiroz <[email protected]> +Change-Id: Id51241989b22c52810391f3e8e1cadbf8613d873 +Bug-Ubuntu: https://bugs.launchpad.net/keystone/+bug/1688137 +Bug-Debian: https://bugs.debian.org/992070 +Origin: upstream, https://review.opendev.org/c/openstack/keystone/+/790442/ +Last-Update: 2021-08-14 + +diff --git a/keystone/notifications.py b/keystone/notifications.py +index e536ebd..a59b1d0 100644 +--- a/keystone/notifications.py ++++ b/keystone/notifications.py +@@ -580,6 +580,8 @@ + taxonomy.OUTCOME_FAILURE, + target, self.event_type, + reason=audit_reason) ++ if isinstance(ex, exception.AccountLocked): ++ raise exception.Unauthorized + raise + except Exception: + # For authentication failure send a CADF event as well +diff --git a/keystone/tests/unit/common/test_notifications.py b/keystone/tests/unit/common/test_notifications.py +index b0fb720..308cc01 100644 +--- a/keystone/tests/unit/common/test_notifications.py ++++ b/keystone/tests/unit/common/test_notifications.py +@@ -802,7 +802,7 @@ + password = uuid.uuid4().hex + new_password = uuid.uuid4().hex + expected_responses = [AssertionError, AssertionError, AssertionError, +- exception.AccountLocked] ++ exception.Unauthorized] + user_ref = unit.new_user_ref(domain_id=self.domain_id, + password=password) + user_ref = PROVIDERS.identity_api.create_user(user_ref) +diff --git a/keystone/tests/unit/identity/test_backend_sql.py b/keystone/tests/unit/identity/test_backend_sql.py +index 8c7fb31..0a99002 100644 +--- a/keystone/tests/unit/identity/test_backend_sql.py ++++ b/keystone/tests/unit/identity/test_backend_sql.py +@@ -613,7 +613,7 @@ + ) + # test locking out user after max failed attempts + self._fail_auth_repeatedly(self.user['id']) +- self.assertRaises(exception.AccountLocked, ++ self.assertRaises(exception.Unauthorized, + PROVIDERS.identity_api.authenticate, + user_id=self.user['id'], + password=uuid.uuid4().hex) +@@ -642,7 +642,7 @@ + with self.make_request(): + # lockout user + self._fail_auth_repeatedly(self.user['id']) +- self.assertRaises(exception.AccountLocked, ++ self.assertRaises(exception.Unauthorized, + PROVIDERS.identity_api.authenticate, + user_id=self.user['id'], + password=uuid.uuid4().hex) +@@ -661,7 +661,7 @@ + with self.make_request(): + # lockout user + self._fail_auth_repeatedly(self.user['id']) +- self.assertRaises(exception.AccountLocked, ++ self.assertRaises(exception.Unauthorized, + PROVIDERS.identity_api.authenticate, + user_id=self.user['id'], + password=uuid.uuid4().hex) +@@ -687,7 +687,7 @@ + with self.make_request(): + # lockout user + self._fail_auth_repeatedly(self.user['id']) +- self.assertRaises(exception.AccountLocked, ++ self.assertRaises(exception.Unauthorized, + PROVIDERS.identity_api.authenticate, + user_id=self.user['id'], + password=uuid.uuid4().hex) +@@ -697,7 +697,7 @@ + # repeat failed auth the max times + self._fail_auth_repeatedly(self.user['id']) + # test user account is locked +- self.assertRaises(exception.AccountLocked, ++ self.assertRaises(exception.Unauthorized, + PROVIDERS.identity_api.authenticate, + user_id=self.user['id'], + password=uuid.uuid4().hex) +diff --git a/releasenotes/notes/bug-1688137-e4203c9a728690a7.yaml b/releasenotes/notes/bug-1688137-e4203c9a728690a7.yaml +new file mode 100644 +index 0000000..bd7a060 +--- /dev/null ++++ b/releasenotes/notes/bug-1688137-e4203c9a728690a7.yaml +@@ -0,0 +1,8 @@ ++--- ++fixes: ++ - | ++ [`bug 1688137 <https://bugs.launchpad.net/keystone/+bug/1688137>`_] ++ Fixed the AccountLocked exception being shown to the end user since ++ it provides some information that could be exploited by a ++ malicious user. The end user will now see Unauthorized instead of ++ AccountLocked, preventing user info oracle exploitation. diff -Nru keystone-18.0.0/debian/patches/series keystone-18.0.0/debian/patches/series --- keystone-18.0.0/debian/patches/series 2020-11-21 23:09:55.000000000 +0100 +++ keystone-18.0.0/debian/patches/series 2021-03-17 12:06:20.000000000 +0100 @@ -1,3 +1,4 @@ fixes-keystone-default-catalog.patch #fixes-default-connection.patch install-missing-files.patch +CVE-2021-38155_Hide_AccountLocked_exception_from_end_users.patch
