Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 1 Jun 2016 17:25:02 -0700
From: morgan fainberg <morgan.fainberg@...il.com>
To: oss-security@...ts.openwall.com
Subject: [OSSA-2016-008] Incorrect Audit IDs in Keystone Fernet Tokens can
 result in revocation bypass (CVE-2016-4911)

============================================================================================
OSSA-2016-008: Incorrect Audit IDs in Keystone Fernet Tokens can result in revocation bypass
============================================================================================

:Date: May 23, 2016
:CVE: CVE-2016-4911


Affects
~~~~~~~
- Keystone: ==9.0.0


Description
~~~~~~~~~~~
Lance Bragstad (Rackspace) reported a vulnerability in the Keystone
Fernet Token Provider. By rescoping a token a user will receive a new
token without correct audit_ids, these incorrect audit_ids will
prevent the entire chain of tokens from being revoked properly. This
vulnerability does not impact revoking a token by its individual
audit_id. Only deployments with Keystone configured to use Fernet
tokens are impacted.


Patches
~~~~~~~
- https://review.openstack.org/#/c/312582/ (Mitaka)
- https://review.openstack.org/#/c/311886/ (Newton)


Credits
~~~~~~~
- Lance Bragstad from Rackspace (CVE-2016-4911)


References
~~~~~~~~~~
- https://bugs.launchpad.net/bugs/1577558
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4911


Notes
~~~~~
- This fix was included in the openstack/keystone 9.0.1 (mitaka) release.


-- 
Morgan Fainberg
OpenStack Vulnerability Management Team



Download attachment "signature.asc" of type "application/pgp-signature" (843 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ