CVE-2017-12440

Name of the Vulnerable Software and Affected Versions Openstack Aodh versions before change-ID I8fd11a7f9fe3c0ea5f9843a89686ac06713b7851 Openstack Aodh versions before Pike-rc1 in Ocata and Newton

Description The issue allows remote authenticated users with knowledge of trust id where Aodh is the trustee to obtain a Keystone token and perform unspecified authenticated actions. This is achieved by adding an alarm action with the scheme 'trust+http' and providing a trust id where Aodh is the trustee. The problem arises because Aodh does not verify that trust id belongs to the user when creating an alarm action.

Recommendations For Openstack Aodh versions before change-ID I8fd11a7f9fe3c0ea5f9843a89686ac06713b7851, update to a version that includes the change-ID I8fd11a7f9fe3c0ea5f9843a89686ac06713b7851 or later. For Openstack Aodh versions before Pike-rc1 in Ocata and Newton, update to Pike-rc1 or a later version. As a temporary workaround, consider restricting access to the alarm action creation feature with the 'trust+http' scheme to minimize the risk of exploitation.