-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
OpenStack Security Advisory: 2012-010 CVE: CVE-2012-3426 Date: July 27, 2012 Title: Various Keystone token expiration issues Impact: Medium Reporter: Derek Higgins Products: Keystone Affects: Essex, Folsom
Description: Derek Higgins reported various issues affecting Keystone token expiration. A token expiration date can be circumvented by continuously creating new tokens before the old one has expired. Existing tokens also remain valid after a user account is disabled or after an account password changed. An authenticated and authorized user could potentially leverage those vulnerabilities to extend his access beyond the account owner expectations.
Folsom fixes: http://github.com/openstack/keystone/commit/375838cfceb88cacc312ff6564e64eb1... http://github.com/openstack/keystone/commit/628149b3dc6b58b91fd08e6ca8d91c72... http://github.com/openstack/keystone/commit/a67b24878a6156eab17b9098fa649f02...
Essex fixes: http://github.com/openstack/keystone/commit/29e74e73a6e51cffc0371b3235455839... http://github.com/openstack/keystone/commit/d9600434da14976463a0bd03abd8e030... http://github.com/openstack/keystone/commit/ea03d05ed5de0c015042876100d37a6a...
References: https://bugs.launchpad.net/keystone/+bug/998185 https://bugs.launchpad.net/keystone/+bug/997194 https://bugs.launchpad.net/keystone/+bug/996595 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-3426
Notes: Those fixes were already included in Keystone 2012.1.1 stable update and the Folsom-1 development milestone.
- -- Thierry Carrez (ttx) OpenStack Vulnerability Management Team