[OSSA 2012-010] Various Keystone token expiration issues (CVE-2012-3426)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 OpenStack Security Advisory: 2012-010 CVE: CVE-2012-3426 Date: July 27, 2012 Title: Various Keystone token expiration issues Impact: Medium Reporter: Derek Higgins Products: Keystone Affects: Essex, Folsom Description: Derek Higgins reported various issues affecting Keystone token expiration. A token expiration date can be circumvented by continuously creating new tokens before the old one has expired. Existing tokens also remain valid after a user account is disabled or after an account password changed. An authenticated and authorized user could potentially leverage those vulnerabilities to extend his access beyond the account owner expectations. Folsom fixes: http://github.com/openstack/keystone/commit/375838cfceb88cacc312ff6564e64eb1... http://github.com/openstack/keystone/commit/628149b3dc6b58b91fd08e6ca8d91c72... http://github.com/openstack/keystone/commit/a67b24878a6156eab17b9098fa649f02... Essex fixes: http://github.com/openstack/keystone/commit/29e74e73a6e51cffc0371b3235455839... http://github.com/openstack/keystone/commit/d9600434da14976463a0bd03abd8e030... http://github.com/openstack/keystone/commit/ea03d05ed5de0c015042876100d37a6a... References: https://bugs.launchpad.net/keystone/+bug/998185 https://bugs.launchpad.net/keystone/+bug/997194 https://bugs.launchpad.net/keystone/+bug/996595 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-3426 Notes: Those fixes were already included in Keystone 2012.1.1 stable update and the Folsom-1 development milestone. - -- Thierry Carrez (ttx) OpenStack Vulnerability Management Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBCAAGBQJQErMZAAoJEFB6+JAlsQQjMrkP/juA+StMaNQNNqfPyV4gFJHG mI/ZTFq7lf9HBqqxrKbWKdDdAW+AbGM+EXL6Vhu0xBCIk0Q9+dyj1t6BQd/Y/CMv Je5XWZ3YrufHtNI37I9We8hrNBz4WoVhAyLZNHPHmngRu/Dxz8BNtKC4mSrG5bLL ammjtdnecRLPa3GkqYi6tFQgKSzAiU/edXx0+h9veMaxvxKmDzwIKJ625p6CmouR esCnoMkC23e2IoDnq85WaoqK9V8PyMJJ8auU1P+olA/VdvTIXOPAiMOrclEOuFCw EVENPwXmzh/hM2LZKZSSmRgWxSvADfCWnTWc8VT0CvVbJXkOegwMgsFvzd/oy89Q huEu0HiBdOw7yDet5n1f63Es0NO108jEvlN4LNEF0emEv6fNo6rbKHpIqw5R+Dxp Yiu0j3XOiBhE6eIUvVdXv+mAvaRJsk9KzWQaAyrp2UKO52MU6G11+zwJpJCVCRod yjO2kSm1ksZzSF2ZmoteOeFdqJp11qI1LbfT6vswuacW1zrCPHbAM8RP1DS/5X4d PdgzJBZhE20G1YcY+kMMqIlmIs9hgP6IcaeHKxXcrW3Oq/flI00Rade/HmAamQ51 PsT9cVeE3uZt8plARG1SXyzQp8WF+U//H2af2BGiClX3TdrZU3EIOsKby77Xgwxl Z7A0lu7IqS1+4Fm/6738 =fX6q -----END PGP SIGNATURE-----
participants (1)
-
Thierry Carrez