Nathan Kinder

Name of the Vulnerable Software and Affected Versions: Red Hat OpenStack Platform director (affected versions not specified) Description: A design flaw issue was found in the use of TripleO to enable libvirtd based live-migration. Libvirtd is deployed by default listening on 0.0.0.0 with no authentication or encryption. This allows anyone who can make a TCP connection to any compute host IP address to open a virsh session to the libvirtd instance, potentially gaining control of virtual machine instances or taking over the host. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenStack Identity (Keystone) versions prior to 2015.1.3 OpenStack Identity (Keystone) versions 8.0.x prior to 8.0.2 keystonemiddleware versions prior to 1.5.4 Liberty versions prior to 2.3.3 **Description** The issue is related to the improper invalidation of authorization tokens when using the PKI or PKIZ token providers. This allows remote authenticated users to bypass intended access restrictions and gain access to cloud resources by manipulating byte fields within a revoked token. **Recommendations** For OpenStack Identity (Keystone) versions prior to 2015.1.3, update to version 2015.1.3 or later. For OpenStack Identity (Keystone) versions 8.0.x prior to 8.0.2, update to version 8.0.2 or later. For keystonemiddleware versions prior to 1.5.4, update to version 1.5.4 or later. For Liberty versions prior to 2.3.3, update to version 2.3.3 or later.

**Name of the Vulnerable Software and Affected Versions** Red Hat Directory Server versions 7.1 before SP6 and 8.0 **Description** The issue is related to a buffer overflow in the regular expression handler, which can be triggered by a crafted LDAP query. This can cause a denial of service, leading to a crash of the slapd service, and potentially allow the execution of arbitrary code. **Recommendations** For Red Hat Directory Server version 7.1, apply Service Pack 6 or later to resolve the issue. For Red Hat Directory Server version 8.0, at the moment, there is no information about a newer version that contains a fix for this vulnerability.