CVE-2019-10138

Vulnerability

Overview CVE-2019-10138 is a flaw in the python-novajoin plugin, all versions up to (but excluding) 1.1.1, for Red Hat OpenStack Platform. The root cause is insufficient access control in the novajoin API. This allows any user who is authenticated to Keystone (the OpenStack identity service) to generate tokens for FreeIPA, the identity management system used by the plugin [1][2].

Exploitation and

Attack Surface The attack can be carried out by any Keystone-authenticated user, meaning no special administrative privileges are required beyond standard authentication to the OpenStack environment. The vulnerability exists in the API endpoints of the novajoin service; an attacker simply needs to send a crafted request to those endpoints to generate FreeIPA tokens [1][2]. The attack is network-based and does not require any prior access to the FreeIPA server.

Impact

A successful attacker can generate arbitrary FreeIPA tokens. These tokens could be used to impersonate legitimate users within FreeIPA, potentially leading to unauthorized access to identity-related services, privilege escalation, or further compromise of the OpenStack deployment that depends on FreeIPA for identity management [1].

Mitigation

The vulnerability is fixed in python-novajoin version 1.1.1. Users are strongly advised to upgrade to this patched version. No other workarounds are documented. Red Hat has released an erratum to address this issue for supported Red Hat OpenStack Platform deployments [2]. The project's source code has since been archived and moved to opendev.org [3], and the advisory is also recorded in the PyPA advisory database [4].