|
Message-ID: <53EE2DEE.1030305@enovance.com>
Date: Fri, 15 Aug 2014 11:57:34 -0400
From: Tristan Cacqueray <tristan.cacqueray@...vance.com>
To: oss-security@...ts.openwall.com
Subject: [OSSA 2014-026] Multiple vulnerabilities in Keystone revocation events
(CVE-2014-5251, CVE-2014-5252, CVE-2014-5253)
OpenStack Security Advisory: 2014-026
CVE: CVE-2014-5251, CVE-2014-5252, CVE-2014-5253
Date: August 15, 2014
Title: Multiple vulnerabilities in Keystone revocation events
Reporter: Lance Bragstad (Rackspace) - CVE-2014-5252
Brant Knudson (IBM) - CVE-2014-5251, CVE-2014-5253
Products: Keystone
Versions: 2014.1 versions up to 2014.1.1
Description:
Lance Bragstad from Rackspace and Brant Knudson from IBM reported 3
vulnerabilities in Keystone revocation events. Lance Bragstad discovered
that UUID v2 tokens processed by the V3 API are incorrectly updated and
get their "issued_at" time regenerated (CVE-2014-5252). Brant Knudson
discovered that the MySQL token driver stores expiration dates
incorrectly which prevents manual revocation (CVE-2014-5251) and that
domain-scoped tokens don't get revoked when the domain is disabled
(CVE-2014-5253). Tokens impacted by one of these bugs may allow a user
to evade token revocation. Only Keystone setups configured to use
revocation events are affected.
Juno (development branch) fix:
https://review.openstack.org/111106
https://review.openstack.org/109747
https://review.openstack.org/109819
https://review.openstack.org/109820
Icehouse fix:
https://review.openstack.org/112087
https://review.openstack.org/111772
https://review.openstack.org/112083
https://review.openstack.org/112084
Notes:
These fixes will be included in the Juno-3 development milestone and are
already included in the 2014.1.2.1 release.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5251
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5252
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5253
https://launchpad.net/bugs/1347961
https://launchpad.net/bugs/1348820
https://launchpad.net/bugs/1349597
--
Tristan Cacqueray
OpenStack Vulnerability Management Team
Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.