Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 17 May 2016 12:17:36 -0700
From: morgan fainberg <morgan.fainberg@...il.com>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: CVE request for vulnerability in OpenStack Keystone

A vulnerability was discovered in OpenStack (see below). In order to
ensure full traceability, we need a CVE number assigned that we can
attach to further notifications. This issue is already public, although an
advisory was not sent yet.


Title: Incorrect Audit IDs in Keystone Fernet Tokens can result in
revocation bypass
Reporter: Lance Bragstad (Rackspace)
Products: OpenStack Kesytone
Affects: ==9.0.0

Description:
Lance Bragstad (Rackspace) reported a vulnerability in the Keystone
Fernet Token Provider. By rescoping a token a user will receive a new
token without correct audit_ids, these incorrect audit_ids will prevent
the entire chain of tokens from being revoked properly. This
vulnerability does not impact revoking a token by it's individual
audit_id. Only deployments with Keystone configured to use Fernet tokens
are impacted.



References:
https://launchpad.net/bugs/1577558 <https://launchpad.net/bugs/1577558>

Thanks in advance,

--
Morgan Fainberg
OpenStack Vulnerability Management Team

[ CONTENT OF TYPE application/pgp-keys SKIPPED ]

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ