Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 1 Jun 2016 17:25:02 -0700
From: morgan fainberg <morgan.fainberg@...il.com>
To: oss-security@...ts.openwall.com
Subject: [OSSA-2016-008] Incorrect Audit IDs in Keystone Fernet Tokens can
 result in revocation bypass (CVE-2016-4911)

============================================================================================
OSSA-2016-008: Incorrect Audit IDs in Keystone Fernet Tokens can result in revocation bypass
============================================================================================

:Date: May 23, 2016
:CVE: CVE-2016-4911


Affects
~~~~~~~
- Keystone: ==9.0.0


Description
~~~~~~~~~~~
Lance Bragstad (Rackspace) reported a vulnerability in the Keystone
Fernet Token Provider. By rescoping a token a user will receive a new
token without correct audit_ids, these incorrect audit_ids will
prevent the entire chain of tokens from being revoked properly. This
vulnerability does not impact revoking a token by its individual
audit_id. Only deployments with Keystone configured to use Fernet
tokens are impacted.


Patches
~~~~~~~
- https://review.openstack.org/#/c/312582/ (Mitaka)
- https://review.openstack.org/#/c/311886/ (Newton)


Credits
~~~~~~~
- Lance Bragstad from Rackspace (CVE-2016-4911)


References
~~~~~~~~~~
- https://bugs.launchpad.net/bugs/1577558
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4911


Notes
~~~~~
- This fix was included in the openstack/keystone 9.0.1 (mitaka) release.


-- 
Morgan Fainberg
OpenStack Vulnerability Management Team



Download attachment "signature.asc" of type "application/pgp-signature" (843 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.