[openstack-announce] [OSSA 2016-005] Potential reuse of revoked Identity tokens (CVE-2015-7546)

Tristan Cacqueray tdecacqu at redhat.com
Fri Jan 29 19:49:02 UTC 2016


=========================================================
OSSA-2016-005: Potential reuse of revoked Identity tokens
=========================================================

:Date: January 29, 2016
:CVE: CVE-2015-7546


Affects
~~~~~~~
- Keystone: <= 2015.1.2, >= 8.0.0 <= 8.0.1
- Keystonemiddleware: >= 1.5.0 <= 1.5.3, >= 1.6.0 <= 2.3.2


Description
~~~~~~~~~~~
Liu Sheng reported a vulnerability in Keystone. By manipulating a
token content, an authenticated user may prevent its revocation. This
can allow unauthorized access to cloud resources if a revoked token is
intercepted by an attacker. Only keystone setups using PKI or PKIZ
token are affected


Patches
~~~~~~~
- https://review.openstack.org/266045 (keystone) (Kilo)
- https://review.openstack.org/266607 (keystonemiddleware) (Kilo)
- https://review.openstack.org/266022 (keystone) (Liberty)
- https://review.openstack.org/265988 (keystonemiddleware) (Liberty)
- https://review.openstack.org/258141 (keystone) (Mitaka)
- https://review.openstack.org/258143 (keystonemiddleware) (Mitaka)


Credits
~~~~~~~
- Liu Sheng from Huawei (CVE-2015-7546)


References
~~~~~~~~~~
- https://bugs.launchpad.net/bugs/1490804
- https://wiki.openstack.org/wiki/OSSN/OSSN-0062
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7546


Notes
~~~~~
- The keystone fix is included in 2015.1.3 (Kilo) and will be included
  in a future 8.0.2 (Liberty) releases.
- The keystonemiddleware fix will be included in future 1.5.4 (Kilo)
  and 2.3.3 (Liberty) releases.
- Both keystone and keystonemiddleware needs to be updated

--
Tristan Cacqueray
OpenStack Vulnerability Management Team

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack-announce/attachments/20160129/0cef13df/attachment.pgp>


More information about the OpenStack-announce mailing list