Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 15 Aug 2014 11:57:34 -0400
From: Tristan Cacqueray <>
Subject: [OSSA 2014-026] Multiple vulnerabilities in Keystone revocation events
 (CVE-2014-5251, CVE-2014-5252, CVE-2014-5253)

OpenStack Security Advisory: 2014-026
CVE: CVE-2014-5251, CVE-2014-5252, CVE-2014-5253
Date: August 15, 2014
Title: Multiple vulnerabilities in Keystone revocation events
Reporter: Lance Bragstad (Rackspace) - CVE-2014-5252
          Brant Knudson (IBM)        - CVE-2014-5251, CVE-2014-5253
Products: Keystone
Versions: 2014.1 versions up to 2014.1.1

Lance Bragstad from Rackspace and Brant Knudson from IBM reported 3
vulnerabilities in Keystone revocation events. Lance Bragstad discovered
that UUID v2 tokens processed by the V3 API are incorrectly updated and
get their "issued_at" time regenerated (CVE-2014-5252). Brant Knudson
discovered that the MySQL token driver stores expiration dates
incorrectly which prevents manual revocation (CVE-2014-5251) and that
domain-scoped tokens don't get revoked when the domain is disabled
(CVE-2014-5253). Tokens impacted by one of these bugs may allow a user
to evade token revocation. Only Keystone setups configured to use
revocation events are affected.

Juno (development branch) fix:

Icehouse fix:

These fixes will be included in the Juno-3 development milestone and are
already included in the 2014.1.2.1 release.


Tristan Cacqueray
OpenStack Vulnerability Management Team

Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ