[Openstack] [OSSA 2012-014] Revoking a role does not affect existing tokens (CVE-2012-4413)

Dolph Mathews dolph.mathews at gmail.com
Wed Sep 12 17:35:34 UTC 2012


Ryan Lane deserves recognition for originally identifying this as a
potential vulnerability.

Thanks, Ryan!

-Dolph


On Wed, Sep 12, 2012 at 11:36 AM, Thierry Carrez <thierry at openstack.org>wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> OpenStack Security Advisory: 2012-014
> CVE: CVE-2012-4413
> Date: September 12, 2012
> Title: Revoking a role does not affect existing tokens
> Impact: High
> Reporter: Dolph Mathews (Rackspace)
> Products: Keystone
> Affects: Essex, Folsom
>
> Description:
> Dolph Mathews reported a vulnerability in Keystone. Granting and
> revoking roles from a user is not reflected upon token validation for
> pre-existing tokens. Pre-existing tokens continue to be valid for the
> original set of roles for the remainder of the token's lifespan, or
> until explicitly invalidated. This fix invalidates all tokens held by
> a user upon role grant/revoke to circumvent the issue.
>
> Folsom fix:
>
> http://github.com/openstack/keystone/commit/efb6b3fca0ba0ad768b3e803a324043095d326e2
>
> Essex fix:
>
> http://github.com/openstack/keystone/commit/58ac6691a21675be9e2ffb0f84a05fc3cd4d2e2e
>
> References:
> https://bugs.launchpad.net/keystone/+bug/1041396
> http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4413
>
> Notes:
> This fix will be included in the future Keystone 2012.1.3 stable
> update and the upcoming Folsom-RC1 development milestone.
>
> - --
> Thierry Carrez (ttx)
> OpenStack Vulnerability Management Team
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJQULoUAAoJEFB6+JAlsQQjGacQAJUvJb+oIjh73KAYYuDpl/YP
> PqJa4nmjVin7CyQ8AbxHK63xrAQ7isPFpCCqtEmjZ5kvFCrJRHiQggHNqISRhnvo
> +HyS6RSn4Vrp001PSZSmQI5MpgkeWhbOy+fk4/ZY7hFgUyS2YqC8YiK7DTMdKRBi
> toWOHRVWrmA4fUEDDcDdm9XzRseTC0cZAbj9bYAF+vXPdpxeGpq5l9Kb6yDezXGD
> 62dFvHghVTWdUIN+gK4V4d77PoyeO9NRd4Ud0GjDpV/asQL31dW6B4aRPYVDPhL3
> 7xcnhRsnZ3Y5J31n+7E/gMF+J+6kOaY/DNFZQ8chNW18kplYnmJnm7s3BJNjD512
> UF/S5A5sH1Rk/vwe2nAHSqvQ1Dq3K0sRvW3YCijG2Rdj3mhBOr6OlvT5uJmnkeJT
> GQQ8SR3y+ZLS/2EEW+cVjDMxV4Gnf9Zzrw/tSjVp6QLmJAkG8qrFmgdisQ/Jao4M
> ygE8ZVu8lJq7N8b+k8XkB+bhz9E9V6hYOUuGoifEHRIPki/Ed7++BcdVTQdQYpAL
> kDTaoVZt1+plwAu4ZBLxUg1vhVz19qgDc7UeoY1sPc1JcRWp/ONnp6K4z+Y+7Rsx
> 3E4FLH0/qgFxKDHdGX91Plehk9dIEjHcGtKaXI8vOvGT17srYQaF6Y7rc+9TwaqI
> bggBCxcI2PLQgjuWyF4M
> =+6UN
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack at lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20120912/9dbf0f96/attachment.html>


More information about the Openstack mailing list