Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 15 Aug 2014 11:57:34 -0400
From: Tristan Cacqueray <tristan.cacqueray@...vance.com>
To: oss-security@...ts.openwall.com
Subject: [OSSA 2014-026] Multiple vulnerabilities in Keystone revocation events
 (CVE-2014-5251, CVE-2014-5252, CVE-2014-5253)

OpenStack Security Advisory: 2014-026
CVE: CVE-2014-5251, CVE-2014-5252, CVE-2014-5253
Date: August 15, 2014
Title: Multiple vulnerabilities in Keystone revocation events
Reporter: Lance Bragstad (Rackspace) - CVE-2014-5252
          Brant Knudson (IBM)        - CVE-2014-5251, CVE-2014-5253
Products: Keystone
Versions: 2014.1 versions up to 2014.1.1

Description:
Lance Bragstad from Rackspace and Brant Knudson from IBM reported 3
vulnerabilities in Keystone revocation events. Lance Bragstad discovered
that UUID v2 tokens processed by the V3 API are incorrectly updated and
get their "issued_at" time regenerated (CVE-2014-5252). Brant Knudson
discovered that the MySQL token driver stores expiration dates
incorrectly which prevents manual revocation (CVE-2014-5251) and that
domain-scoped tokens don't get revoked when the domain is disabled
(CVE-2014-5253). Tokens impacted by one of these bugs may allow a user
to evade token revocation. Only Keystone setups configured to use
revocation events are affected.

Juno (development branch) fix:
https://review.openstack.org/111106
https://review.openstack.org/109747
https://review.openstack.org/109819
https://review.openstack.org/109820

Icehouse fix:
https://review.openstack.org/112087
https://review.openstack.org/111772
https://review.openstack.org/112083
https://review.openstack.org/112084

Notes:
These fixes will be included in the Juno-3 development milestone and are
already included in the 2014.1.2.1 release.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5251
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5252
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5253
https://launchpad.net/bugs/1347961
https://launchpad.net/bugs/1348820
https://launchpad.net/bugs/1349597

-- 
Tristan Cacqueray
OpenStack Vulnerability Management Team




Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.