[OSSA 2013-009] Keystone PKI tokens online validation bypasses revocation check (CVE-2013-1865)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
OpenStack Security Advisory: 2013-009 CVE: CVE-2013-1865 Date: March 20, 2013 Title: Keystone PKI tokens online validation bypasses revocation check Reporter: Guang Yee (HP) Products: Keystone Affects: Folsom
Description: Guang Yee from HP reported a vulnerability in the revocation check for Keystone PKI tokens. Those tokens are supposed to be validated locally using cryptographic checks, but the user also has the option of asking the server to validate them. In that case, the online verification of PKI tokens would bypass the revocation check, potentially affirming revocated tokens are still valid. Only Folsom setups making use of online verification of PKI tokens are affected.
Folsom fix: https://review.openstack.org/#/c/24906/
References: https://bugs.launchpad.net/keystone/folsom/+bug/1129713 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-1865
- -- Thierry Carrez (ttx) OpenStack Vulnerability Management Team
participants (1)
-
Thierry Carrez