Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <53E0F2A5.801@enovance.com>
Date: Tue, 05 Aug 2014 11:05:09 -0400
From: Tristan Cacqueray <tristan.cacqueray@...vance.com>
To: oss-security@...ts.openwall.com
Subject: CVE request for vulnerability in OpenStack Keystone

Three vulnerabilities was discovered in OpenStack (see below). In order
to ensure full traceability, we need CVE number(s) assigned that we can
attach to further notifications. These issues are already public,
although an advisory was not sent yet.

Title: Multiple vulnerabilities in Keystone revocation events
Reporter: Lance Bragstad (Rackspace) and Brant Knudson (IBM)
Products: Keystone
Versions: 2014.1 versions up to 2014.1.1

Description:
Lance Bragstad from Rackspace and Brant Knudson from IBM reported 3
vulnerabilities in Keystone revocation events. Lance Bragstad discovered
that UUID v2 tokens processed by the V3 API are incorrectly updated and
get their "issued_at" time regenerated. Brant Knudson discovered that
the MySQL token driver stores expiration dates incorrectly which
prevents manual revocation and that domain-scoped tokens don't get
revoked when the domain is disabled. Tokens impacted by one of these
bugs may allow a user to evade token revocation. Only Keystone setups
configured to use revocation events are affected.

References:
https://launchpad.net/bugs/1347961
https://launchpad.net/bugs/1348820
https://launchpad.net/bugs/1349597

Thanks in advance,

-- 
Tristan Cacqueray
OpenStack Vulnerability Management Team


Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.