Date: Wed, 1 Jun 2016 17:25:02 -0700 From: morgan fainberg <morgan.fainberg@...il.com> To: oss-security@...ts.openwall.com Subject: [OSSA-2016-008] Incorrect Audit IDs in Keystone Fernet Tokens can result in revocation bypass (CVE-2016-4911) ============================================================================================ OSSA-2016-008: Incorrect Audit IDs in Keystone Fernet Tokens can result in revocation bypass ============================================================================================ :Date: May 23, 2016 :CVE: CVE-2016-4911 Affects ~~~~~~~ - Keystone: ==9.0.0 Description ~~~~~~~~~~~ Lance Bragstad (Rackspace) reported a vulnerability in the Keystone Fernet Token Provider. By rescoping a token a user will receive a new token without correct audit_ids, these incorrect audit_ids will prevent the entire chain of tokens from being revoked properly. This vulnerability does not impact revoking a token by its individual audit_id. Only deployments with Keystone configured to use Fernet tokens are impacted. Patches ~~~~~~~ - https://review.openstack.org/#/c/312582/ (Mitaka) - https://review.openstack.org/#/c/311886/ (Newton) Credits ~~~~~~~ - Lance Bragstad from Rackspace (CVE-2016-4911) References ~~~~~~~~~~ - https://bugs.launchpad.net/bugs/1577558 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4911 Notes ~~~~~ - This fix was included in the openstack/keystone 9.0.1 (mitaka) release. -- Morgan Fainberg OpenStack Vulnerability Management Team Download attachment "signature.asc" of type "application/pgp-signature" (843 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ