-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256

OpenStack Security Advisory: 2012-014 CVE: CVE-2012-4413 Date: September 12, 2012 Title: Revoking a role does not affect existing tokens Impact: High Reporter: Dolph Mathews (Rackspace) Products: Keystone Affects: Essex, Folsom

Description: Dolph Mathews reported a vulnerability in Keystone. Granting and revoking roles from a user is not reflected upon token validation for pre-existing tokens. Pre-existing tokens continue to be valid for the original set of roles for the remainder of the token's lifespan, or until explicitly invalidated. This fix invalidates all tokens held by a user upon role grant/revoke to circumvent the issue.

Folsom fix: http://github.com/openstack/keystone/commit/efb6b3fca0ba0ad768b3e803a3240430...

Essex fix: http://github.com/openstack/keystone/commit/58ac6691a21675be9e2ffb0f84a05fc3...

References: https://bugs.launchpad.net/keystone/+bug/1041396 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4413

Notes: This fix will be included in the future Keystone 2012.1.3 stable update and the upcoming Folsom-RC1 development milestone.

- -- Thierry Carrez (ttx) OpenStack Vulnerability Management Team