oss-sec mailing list archives
CVE request for vulnerability in OpenStack Keystone
From: Tristan Cacqueray <tristan.cacqueray () enovance com>
Date: Tue, 05 Aug 2014 11:05:09 -0400
Three vulnerabilities was discovered in OpenStack (see below). In order to ensure full traceability, we need CVE number(s) assigned that we can attach to further notifications. These issues are already public, although an advisory was not sent yet. Title: Multiple vulnerabilities in Keystone revocation events Reporter: Lance Bragstad (Rackspace) and Brant Knudson (IBM) Products: Keystone Versions: 2014.1 versions up to 2014.1.1 Description: Lance Bragstad from Rackspace and Brant Knudson from IBM reported 3 vulnerabilities in Keystone revocation events. Lance Bragstad discovered that UUID v2 tokens processed by the V3 API are incorrectly updated and get their "issued_at" time regenerated. Brant Knudson discovered that the MySQL token driver stores expiration dates incorrectly which prevents manual revocation and that domain-scoped tokens don't get revoked when the domain is disabled. Tokens impacted by one of these bugs may allow a user to evade token revocation. Only Keystone setups configured to use revocation events are affected. References: https://launchpad.net/bugs/1347961 https://launchpad.net/bugs/1348820 https://launchpad.net/bugs/1349597 Thanks in advance, -- Tristan Cacqueray OpenStack Vulnerability Management Team
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE request for vulnerability in OpenStack Keystone Tristan Cacqueray (Aug 05)
- Re: CVE request for vulnerability in OpenStack Keystone cve-assign (Aug 14)
- <Possible follow-ups>
- Re: CVE request for vulnerability in OpenStack Keystone Kurt Seifried (Aug 14)