[Openstack-security] [OSSN][DRAFT] Disabling a tenant does not disable a user token

Kurt Seifried kseifried at redhat.com
Fri Aug 9 19:27:53 UTC 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/09/2013 02:11 AM, Thierry Carrez wrote:
> Kurt Seifried wrote:
>> The expectation is that disabling tokens/tenants/etc locks
>> people out now, not some point in the future. Is there any
>> specific documentation covering this?
> 
>> E.g. for Python pickle the main docs for it:
> 
>> http://docs.python.org/2/library/pickle.html
> 
>> have a giant red warning at the top stating the security risk.
>> Does a similar thing exist for OpenStack tokens?
> 
> I'm pretty sure it's not documented as clearly, and I agree that
> the default expectation would be that tokens are invalidated when
> the tenant is disabled. Keystone makes it difficult to "fix",
> because it's a bit baked in the design of the system, so a stronger
> change is needed to address that.
> 
> It's probably fair to assign a CVE for this and cover for it in
> the OSSN, until we have a better answer to it.

Please use CVE-2013-4222 for this issue.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJSBUK4AAoJEBYNRVNeJnmT5q8QAI8cFgW/HTqHmGpfS/oKeoQM
TMp+EvKh8RuPrJ4oBua4UAuNtmUnP7nURPZYSWjrV0rqehMBxHN24umMB/wKiVum
5wK7LeEgaiC0L6A1uFWA0l2pMj6Fy4nww8/k9c/iUbyxHZAtnUWn+JinxuSXn7/v
AXsnS+1O+VHfmWipcadW5WPdySpzLbX0cKFpU5SW0kLP65XaYEUsaJ0cbR9o0cc0
PzIuOVHrQOvFeuKKgfLc1lfGy7tS4BWlV0rxoHhHnOVOtjz9yPKo/JE/kFarydru
ETFKZP5DxesCEYwQoAAtGX6uj50uCcYm0TgziYaMcf6QWw2yyRcmdaZPKItp50AW
IXg+A/lc6SnpA6PTqJGO7AAX0IQ49uj9BJYUa0Y3dkbyw/FFmnVHCi6TR/y9vGka
DTy4oZA5vikbkHpfPE3w/URyM+gd1m8VzzjAHWw9wFJr1k25xOFD3sP+nio8xvR0
r1PHnZNykQS8ibPQtpGJlStLu2jPeMSFENcHow8TpqKnpZBZH8brADwkYPMS/4G/
pFydJwbhFm/g1bF3x+W5lsHmWxyMN9j3mL05MnyUasQ26RXNAxhcl5OyYKdWTr24
iPenfdCtqDlUhu5VF9TtKoWwXMI1EzrgJdJoU9MvYo71dKAEDnn142gxpHy2QBX0
Ug+YbEXfj2m6AbZ7F9G/
=svNH
-----END PGP SIGNATURE-----




More information about the Openstack-security mailing list