[Openstack-security] [OSSN][DRAFT] Restarting memcached loses revoked token list

Adam Young ayoung at redhat.com
Wed Aug 7 23:50:09 UTC 2013


This looks pretty much like the write up I put in the bug report.


On 08/07/2013 09:22 AM, Clark, Robert Graham wrote:
> [Draft] Please review and add content as you feel appropriate
>
> Restarting memcached loses revoked token list
> ----
>
> ### Summary ###
> When a cloud is deployed using Memcache as a backend for Keystone tokens
> there is a security concern that restarting Memcached will loose the
> list of revoked tokens, potentially allowing bad tokens / users to
> access the system after they had been revoked.
>
>
> ### Affected Services / Software ###
> Keystone, Memcache
>
> ### Discussion ###
> There might be ways to mitigate in the future, such as running memcached
> on multiple machines to ensure redundancy should the Keystone server
> fail. In a clustered environment, it will only be an issue if all of the
> memcached machines shutdown.
>
> Memcachedb might also be a potential way to mitigate.
> http://memcachedb.org/
>
> NOTE: Some deployments may intentionally flush Memcached in response to
> https://bugs.launchpad.net/ossn/+bug/1179955 - please exercise caution
> when considering how to approach this problem.
>
> ### Recommended Actions ###
> This is a fundamental problem with using in-memory ephemeral storage for
> security information. If your deployment has strong security
> requirements or a reliance on up-to-date revoked token information we
> suggest you consider using an on-disk DB such as MySQL / PostgreSQL or
> perhaps look into Memcachedb.
>
> ### Contacts / References ###
> This OSSN : https://bugs.launchpad.net/ossn/+bug/1182920
> OpenStack Security ML : openstack-security at lists.openstack.org
> OpenStack Security Group : https://launchpad.net/~openstack-ossg
>
> Robert Clark
> Security Architect
> HP Cloud Services
>
>
>
>
> _______________________________________________
> Openstack-security mailing list
> Openstack-security at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20130807/81e034e8/attachment.html>


More information about the Openstack-security mailing list