Ryan Lane deserves recognition for originally identifying this as a potential vulnerability.<div><br></div><div>Thanks, Ryan!<br clear="all"><div><br></div>-Dolph<br>
<br><br><div class="gmail_quote">On Wed, Sep 12, 2012 at 11:36 AM, Thierry Carrez <span dir="ltr"><<a href="mailto:thierry@openstack.org" target="_blank">thierry@openstack.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA256<br>
<br>
OpenStack Security Advisory: 2012-014<br>
CVE: CVE-2012-4413<br>
Date: September 12, 2012<br>
Title: Revoking a role does not affect existing tokens<br>
Impact: High<br>
Reporter: Dolph Mathews (Rackspace)<br>
Products: Keystone<br>
Affects: Essex, Folsom<br>
<br>
Description:<br>
Dolph Mathews reported a vulnerability in Keystone. Granting and<br>
revoking roles from a user is not reflected upon token validation for<br>
pre-existing tokens. Pre-existing tokens continue to be valid for the<br>
original set of roles for the remainder of the token's lifespan, or<br>
until explicitly invalidated. This fix invalidates all tokens held by<br>
a user upon role grant/revoke to circumvent the issue.<br>
<br>
Folsom fix:<br>
<a href="http://github.com/openstack/keystone/commit/efb6b3fca0ba0ad768b3e803a324043095d326e2" target="_blank">http://github.com/openstack/keystone/commit/efb6b3fca0ba0ad768b3e803a324043095d326e2</a><br>
<br>
Essex fix:<br>
<a href="http://github.com/openstack/keystone/commit/58ac6691a21675be9e2ffb0f84a05fc3cd4d2e2e" target="_blank">http://github.com/openstack/keystone/commit/58ac6691a21675be9e2ffb0f84a05fc3cd4d2e2e</a><br>
<br>
References:<br>
<a href="https://bugs.launchpad.net/keystone/+bug/1041396" target="_blank">https://bugs.launchpad.net/keystone/+bug/1041396</a><br>
<a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4413" target="_blank">http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4413</a><br>
<br>
Notes:<br>
This fix will be included in the future Keystone 2012.1.3 stable<br>
update and the upcoming Folsom-RC1 development milestone.<br>
<br>
- --<br>
Thierry Carrez (ttx)<br>
OpenStack Vulnerability Management Team<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v1.4.11 (GNU/Linux)<br>
Comment: Using GnuPG with Mozilla - <a href="http://www.enigmail.net/" target="_blank">http://www.enigmail.net/</a><br>
<br>
iQIcBAEBCAAGBQJQULoUAAoJEFB6+JAlsQQjGacQAJUvJb+oIjh73KAYYuDpl/YP<br>
PqJa4nmjVin7CyQ8AbxHK63xrAQ7isPFpCCqtEmjZ5kvFCrJRHiQggHNqISRhnvo<br>
+HyS6RSn4Vrp001PSZSmQI5MpgkeWhbOy+fk4/ZY7hFgUyS2YqC8YiK7DTMdKRBi<br>
toWOHRVWrmA4fUEDDcDdm9XzRseTC0cZAbj9bYAF+vXPdpxeGpq5l9Kb6yDezXGD<br>
62dFvHghVTWdUIN+gK4V4d77PoyeO9NRd4Ud0GjDpV/asQL31dW6B4aRPYVDPhL3<br>
7xcnhRsnZ3Y5J31n+7E/gMF+J+6kOaY/DNFZQ8chNW18kplYnmJnm7s3BJNjD512<br>
UF/S5A5sH1Rk/vwe2nAHSqvQ1Dq3K0sRvW3YCijG2Rdj3mhBOr6OlvT5uJmnkeJT<br>
GQQ8SR3y+ZLS/2EEW+cVjDMxV4Gnf9Zzrw/tSjVp6QLmJAkG8qrFmgdisQ/Jao4M<br>
ygE8ZVu8lJq7N8b+k8XkB+bhz9E9V6hYOUuGoifEHRIPki/Ed7++BcdVTQdQYpAL<br>
kDTaoVZt1+plwAu4ZBLxUg1vhVz19qgDc7UeoY1sPc1JcRWp/ONnp6K4z+Y+7Rsx<br>
3E4FLH0/qgFxKDHdGX91Plehk9dIEjHcGtKaXI8vOvGT17srYQaF6Y7rc+9TwaqI<br>
bggBCxcI2PLQgjuWyF4M<br>
=+6UN<br>
-----END PGP SIGNATURE-----<br>
<br>
_______________________________________________<br>
Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
Post to     : <a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
More help   : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
</blockquote></div><br></div>