[Openstack] [OSSA 2014-026] Multiple vulnerabilities in Keystone revocation events (CVE-2014-5251, CVE-2014-5252, CVE-2014-5253)

Tristan Cacqueray tristan.cacqueray at enovance.com
Fri Aug 15 15:57:20 UTC 2014 

OpenStack Security Advisory: 2014-026
CVE: CVE-2014-5251, CVE-2014-5252, CVE-2014-5253
Date: August 15, 2014
Title: Multiple vulnerabilities in Keystone revocation events
Reporter: Lance Bragstad (Rackspace) - CVE-2014-5252
          Brant Knudson (IBM)        - CVE-2014-5251, CVE-2014-5253
Products: Keystone
Versions: 2014.1 versions up to 2014.1.1

Description:
Lance Bragstad from Rackspace and Brant Knudson from IBM reported 3
vulnerabilities in Keystone revocation events. Lance Bragstad discovered
that UUID v2 tokens processed by the V3 API are incorrectly updated and
get their "issued_at" time regenerated (CVE-2014-5252). Brant Knudson
discovered that the MySQL token driver stores expiration dates
incorrectly which prevents manual revocation (CVE-2014-5251) and that
domain-scoped tokens don't get revoked when the domain is disabled
(CVE-2014-5253). Tokens impacted by one of these bugs may allow a user
to evade token revocation. Only Keystone setups configured to use
revocation events are affected.

Juno (development branch) fix:
https://review.openstack.org/111106
https://review.openstack.org/109747
https://review.openstack.org/109819
https://review.openstack.org/109820

Icehouse fix:
https://review.openstack.org/112087
https://review.openstack.org/111772
https://review.openstack.org/112083
https://review.openstack.org/112084

Notes:
These fixes will be included in the Juno-3 development milestone and are
already included in the 2014.1.2.1 release.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5251
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5252
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5253
https://launchpad.net/bugs/1347961
https://launchpad.net/bugs/1348820
https://launchpad.net/bugs/1349597

-- 
Tristan Cacqueray
OpenStack Vulnerability Management Team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 474 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140815/1031bf67/attachment.sig>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140815/1031bf67/attachment-0001.sig>

More information about the Openstack mailing list