[Openstack-security] [OSSN][DRAFT] Disabling a tenant does not disable a user token

Clark, Robert Graham robert.clark at hp.com
Fri Aug 9 20:30:20 UTC 2013


Added the CVE information to https://bugs.launchpad.net/ossn/+bug/1179955
- any objections to this getting published?

On 09/08/2013 20:27, "Kurt Seifried" <kseifried at redhat.com> wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>On 08/09/2013 02:11 AM, Thierry Carrez wrote:
>> Kurt Seifried wrote:
>>> The expectation is that disabling tokens/tenants/etc locks
>>> people out now, not some point in the future. Is there any
>>> specific documentation covering this?
>> 
>>> E.g. for Python pickle the main docs for it:
>> 
>>> http://docs.python.org/2/library/pickle.html
>> 
>>> have a giant red warning at the top stating the security risk.
>>> Does a similar thing exist for OpenStack tokens?
>> 
>> I'm pretty sure it's not documented as clearly, and I agree that
>> the default expectation would be that tokens are invalidated when
>> the tenant is disabled. Keystone makes it difficult to "fix",
>> because it's a bit baked in the design of the system, so a stronger
>> change is needed to address that.
>> 
>> It's probably fair to assign a CVE for this and cover for it in
>> the OSSN, until we have a better answer to it.
>
>Please use CVE-2013-4222 for this issue.
>
>
>- -- 
>Kurt Seifried Red Hat Security Response Team (SRT)
>PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.4.13 (GNU/Linux)
>
>iQIcBAEBAgAGBQJSBUK4AAoJEBYNRVNeJnmT5q8QAI8cFgW/HTqHmGpfS/oKeoQM
>TMp+EvKh8RuPrJ4oBua4UAuNtmUnP7nURPZYSWjrV0rqehMBxHN24umMB/wKiVum
>5wK7LeEgaiC0L6A1uFWA0l2pMj6Fy4nww8/k9c/iUbyxHZAtnUWn+JinxuSXn7/v
>AXsnS+1O+VHfmWipcadW5WPdySpzLbX0cKFpU5SW0kLP65XaYEUsaJ0cbR9o0cc0
>PzIuOVHrQOvFeuKKgfLc1lfGy7tS4BWlV0rxoHhHnOVOtjz9yPKo/JE/kFarydru
>ETFKZP5DxesCEYwQoAAtGX6uj50uCcYm0TgziYaMcf6QWw2yyRcmdaZPKItp50AW
>IXg+A/lc6SnpA6PTqJGO7AAX0IQ49uj9BJYUa0Y3dkbyw/FFmnVHCi6TR/y9vGka
>DTy4oZA5vikbkHpfPE3w/URyM+gd1m8VzzjAHWw9wFJr1k25xOFD3sP+nio8xvR0
>r1PHnZNykQS8ibPQtpGJlStLu2jPeMSFENcHow8TpqKnpZBZH8brADwkYPMS/4G/
>pFydJwbhFm/g1bF3x+W5lsHmWxyMN9j3mL05MnyUasQ26RXNAxhcl5OyYKdWTr24
>iPenfdCtqDlUhu5VF9TtKoWwXMI1EzrgJdJoU9MvYo71dKAEDnn142gxpHy2QBX0
>Ug+YbEXfj2m6AbZ7F9G/
>=svNH
>-----END PGP SIGNATURE-----
>
>_______________________________________________
>Openstack-security mailing list
>Openstack-security at lists.openstack.org
>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security





More information about the Openstack-security mailing list