Announce

Download

announce@lists.alasca.cloud

1 participants
2 discussions

[Security Advisory][CVE-2026-33551] Restricted application credentials can create EC2 credentials
by Stefan Hoffmann April 8, 2026

April 8, 2026

Hi, yesterday OpenStack published a security advisory for keystone. The vulnerability is at Keystone’s EC2 credential creation endpoint. By using a restricted application credential to call the EC2 credential creation API, an authenticated user with only a reader role may obtain an EC2/S3 credential that carries the full set of the parent user’s S3 permissions, effectively bypassing the role restrictions imposed on the application credential. Only deployments that use restricted application credentials in combination with the EC2/S3 compatibility API (swift3 / s3api) are affected. keystone version 3.0.81 has the fixed version. With yaook release 1.4.2 and 2.0.1 this will be also fixed in the pinned_versions of the operators. (still in building) You can patch your keystone with this version pin: values: operator: extraEnv: - name: YAOOK_OP_VERSIONS_OVERRIDE value: | registry.yaook.cloud/yaook/keystone-2025.1: registry.yaook.cloud/yaook/keystone-2025.1:3.0.81 Also see our advisory: https://yaook.cloud/security-advisories-cve-2026-33551 Best regards Stefan -- Stefan Hoffmann DevOps-Engineer Cloud&Heat Cloud&Heat Technologies GmbH Königsbrücker Straße 96 (Halle 15) | 01099 Dresden +49 351 479 367 36 stefan.hoffmann(a)cloudandheat.com | www.cloudandheat.com Green, Open, Efficient. Ihr Cloud-Service- und Cloud-Technologie-Provider aus Dresden. [1] Commercial Register: District Court Dresden Register Number: HRB 30549 VAT ID No.: DE281093504 Managing Director: Nicolas Röhrs Authorized signatory: Dr. Marius Feldmann [1] Ihr Cloud-Service- und Cloud-Technologie-Provider aus Dresden. https://www.cloudandheat.com/

1 0

[Yaook] [CVE][OSSA-2026-004] Server-Side Request Forgery (SSRF) vulnerabilities in OpenStack Glance image import functionality
by Stefan Hoffmann March 20, 2026

March 20, 2026

I forgot to send the advisory also here, but I guess, for now, this list is not used by many. Hi yaook and OpenStack Users, today a new security advisory was published by OpenStack and yaook now has a fix for it. Server-Side Request Forgery (SSRF) vulnerabilities in OpenStack Glance image import functionality By use of HTTP redirects, an authenticated user can bypass URL validation checks and redirect to internal services. Only glance image import functionality is affected. In particular, the ‚web-download‘ and ‚glance-download‘ import methods are subject to this vulnerability, as is the optional (not enabled by default) ‚ovf_process‘ image import plugin. The following images are vulnerable: glance images BEFORE 1.1.156 Yaook versions <= v1.4.0 and 1.5.0 If any of these images are used in your cluster, the cluster is vulnerable. A new stable release 1.4.1 will be published today. You can upgrade to that release simply by updating your operators. Release 1.5.1 will also have this fix. If you don’t want to wait for the release, you can use a version override at the glance-operator (adjust the OpenStack version to the version you have deployed): values: operator: extraEnv: - name: YAOOK_OP_VERSIONS_OVERRIDE value: | registry.yaook.cloud/yaook/glance-2025.1: registry.yaook.cloud/yaook/glance-2025.1:1.1.156 See also https://yaook.cloud/security-advisories-ossa-2026-004/ Best regards Stefan

1 0