Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 12 Sep 2012 19:32:51 +0200
From: Soren Hansen <soren@...ux2go.dk>
To: Thierry Carrez <thierry@...nstack.org>
Cc: openstack@...ts.launchpad.net, openstack-announce@...ts.openstack.org, 
	oss-security@...ts.openwall.com
Subject: Re: [Openstack] [OSSA 2012-014] Revoking a role does not affect
 existing tokens (CVE-2012-4413)

So if I can grant people access to a particular tenant, I can invalidate
everyone's tokens at will now?

Best regards, Soren.
Sent from my phone. Please pardon my brevity.
On Sep 12, 2012 6:40 PM, "Thierry Carrez" <thierry@...nstack.org> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> OpenStack Security Advisory: 2012-014
> CVE: CVE-2012-4413
> Date: September 12, 2012
> Title: Revoking a role does not affect existing tokens
> Impact: High
> Reporter: Dolph Mathews (Rackspace)
> Products: Keystone
> Affects: Essex, Folsom
>
> Description:
> Dolph Mathews reported a vulnerability in Keystone. Granting and
> revoking roles from a user is not reflected upon token validation for
> pre-existing tokens. Pre-existing tokens continue to be valid for the
> original set of roles for the remainder of the token's lifespan, or
> until explicitly invalidated. This fix invalidates all tokens held by
> a user upon role grant/revoke to circumvent the issue.
>
> Folsom fix:
>
> http://github.com/openstack/keystone/commit/efb6b3fca0ba0ad768b3e803a324043095d326e2
>
> Essex fix:
>
> http://github.com/openstack/keystone/commit/58ac6691a21675be9e2ffb0f84a05fc3cd4d2e2e
>
> References:
> https://bugs.launchpad.net/keystone/+bug/1041396
> http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4413
>
> Notes:
> This fix will be included in the future Keystone 2012.1.3 stable
> update and the upcoming Folsom-RC1 development milestone.
>
> - --
> Thierry Carrez (ttx)
> OpenStack Vulnerability Management Team
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJQULoUAAoJEFB6+JAlsQQjGacQAJUvJb+oIjh73KAYYuDpl/YP
> PqJa4nmjVin7CyQ8AbxHK63xrAQ7isPFpCCqtEmjZ5kvFCrJRHiQggHNqISRhnvo
> +HyS6RSn4Vrp001PSZSmQI5MpgkeWhbOy+fk4/ZY7hFgUyS2YqC8YiK7DTMdKRBi
> toWOHRVWrmA4fUEDDcDdm9XzRseTC0cZAbj9bYAF+vXPdpxeGpq5l9Kb6yDezXGD
> 62dFvHghVTWdUIN+gK4V4d77PoyeO9NRd4Ud0GjDpV/asQL31dW6B4aRPYVDPhL3
> 7xcnhRsnZ3Y5J31n+7E/gMF+J+6kOaY/DNFZQ8chNW18kplYnmJnm7s3BJNjD512
> UF/S5A5sH1Rk/vwe2nAHSqvQ1Dq3K0sRvW3YCijG2Rdj3mhBOr6OlvT5uJmnkeJT
> GQQ8SR3y+ZLS/2EEW+cVjDMxV4Gnf9Zzrw/tSjVp6QLmJAkG8qrFmgdisQ/Jao4M
> ygE8ZVu8lJq7N8b+k8XkB+bhz9E9V6hYOUuGoifEHRIPki/Ed7++BcdVTQdQYpAL
> kDTaoVZt1+plwAu4ZBLxUg1vhVz19qgDc7UeoY1sPc1JcRWp/ONnp6K4z+Y+7Rsx
> 3E4FLH0/qgFxKDHdGX91Plehk9dIEjHcGtKaXI8vOvGT17srYQaF6Y7rc+9TwaqI
> bggBCxcI2PLQgjuWyF4M
> =+6UN
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@...ts.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.