[openstack-announce] [OSSA 2013-009] Keystone PKI tokens online validation bypasses revocation check (CVE-2013-1865)

20 Mar 2013


      -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
OpenStack Security Advisory: 2013-009
CVE: CVE-2013-1865
Date: March 20, 2013
Title: Keystone PKI tokens online validation bypasses revocation check
Reporter: Guang Yee (HP)
Products: Keystone
Affects: Folsom
Description:
Guang Yee from HP reported a vulnerability in the revocation check for
Keystone PKI tokens. Those tokens are supposed to be validated locally
using cryptographic checks, but the user also has the option of asking
the server to validate them. In that case, the online verification of
PKI tokens would bypass the revocation check, potentially affirming
revocated tokens are still valid. Only Folsom setups making use of
online verification of PKI tokens are affected.
Folsom fix:
https://review.openstack.org/#/c/24906/
References:
https://bugs.launchpad.net/keystone/folsom/+bug/1129713
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-1865
- -- 
Thierry Carrez (ttx)
OpenStack Vulnerability Management Team
...PGP SIGNATURE...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBCAAGBQJRSdTdAAoJEFB6+JAlsQQj9sUQAL0y9zV5xWHDhAFpfaUGobq6
n5TVeEEf3kb1CIYuVhX6vHuPl2CtoekMSX7MOLehiwmbxGw3B4G7DONZrWuxmzOT
J9B9kwMew3K5lE3X4oYH3cHjkTC+ZsnlUBzNiJIXEAkBFaGLmCwbt2eCREBcKvU8
glaPKncO226Y85wMV+Sbe12qDX/82o6TydkcJglhdGF3AYI4813yGb/U41rkKUnq
zlsg4Zaea4IFUe23fc9EchRDcgR1N+yfZf04+CKRymhvOcYzSLZDNxJpYN+jwzLy
UcB3Jqak8FR0+w3k28bz41COUWtynrTy5FAoDgvGtLM2m1GedMygNKdMb1yERC9z
ELWb0P1Z6qt5zZa6BORM185PJ9Dy5zQkOOOH1I7nWjnIa9wFzvbQBKHv5WPARWDu
rdAM2I55JmGxo6qFJWK6QnpYI6o6PQjQ2s0FC/H2kCMgXPygURD/X101Y2lOFSZ7
P8OhTKoVYqZf5pImpKCbtm1GHWIpev7BkzWvsFpPhVz4ExHSTsmc1Mk2ugDGQrgO
tCcF7Eo0eABepY4qVrSUi4euZvpFsWcjl7GzQ0WLCWyMUdPo9271ZfsgxfPxId7l
CMgn2hgpGv5+yTDDg4p8NSqmUp5hSMo/i6zgDrL9XEn4qx5Rr8pNqV/vUhmYQmzV
qQqwB3DR57T1eFMlGL7y
=9dar
-----END PGP SIGNATURE-----