OpenStack Security Advisory: 2014-026 CVE: CVE-2014-5251, CVE-2014-5252, CVE-2014-5253 Date: August 15, 2014 Title: Multiple vulnerabilities in Keystone revocation events Reporter: Lance Bragstad (Rackspace) - CVE-2014-5252 Brant Knudson (IBM) - CVE-2014-5251, CVE-2014-5253 Products: Keystone Versions: 2014.1 versions up to 2014.1.1 Description: Lance Bragstad from Rackspace and Brant Knudson from IBM reported 3 vulnerabilities in Keystone revocation events. Lance Bragstad discovered that UUID v2 tokens processed by the V3 API are incorrectly updated and get their "issued_at" time regenerated (CVE-2014-5252). Brant Knudson discovered that the MySQL token driver stores expiration dates incorrectly which prevents manual revocation (CVE-2014-5251) and that domain-scoped tokens don't get revoked when the domain is disabled (CVE-2014-5253). Tokens impacted by one of these bugs may allow a user to evade token revocation. Only Keystone setups configured to use revocation events are affected. Juno (development branch) fix: https://review.openstack.org/111106 https://review.openstack.org/109747 https://review.openstack.org/109819 https://review.openstack.org/109820 Icehouse fix: https://review.openstack.org/112087 https://review.openstack.org/111772 https://review.openstack.org/112083 https://review.openstack.org/112084 Notes: These fixes will be included in the Juno-3 development milestone and are already included in the 2014.1.2.1 release. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5251 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5252 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5253 https://launchpad.net/bugs/1347961 https://launchpad.net/bugs/1348820 https://launchpad.net/bugs/1349597 -- Tristan Cacqueray OpenStack Vulnerability Management Team