Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 15 Aug 2014 11:57:34 -0400
From: Tristan Cacqueray <>
Subject: [OSSA 2014-026] Multiple vulnerabilities in Keystone revocation events
 (CVE-2014-5251, CVE-2014-5252, CVE-2014-5253)

OpenStack Security Advisory: 2014-026
CVE: CVE-2014-5251, CVE-2014-5252, CVE-2014-5253
Date: August 15, 2014
Title: Multiple vulnerabilities in Keystone revocation events
Reporter: Lance Bragstad (Rackspace) - CVE-2014-5252
          Brant Knudson (IBM)        - CVE-2014-5251, CVE-2014-5253
Products: Keystone
Versions: 2014.1 versions up to 2014.1.1

Lance Bragstad from Rackspace and Brant Knudson from IBM reported 3
vulnerabilities in Keystone revocation events. Lance Bragstad discovered
that UUID v2 tokens processed by the V3 API are incorrectly updated and
get their "issued_at" time regenerated (CVE-2014-5252). Brant Knudson
discovered that the MySQL token driver stores expiration dates
incorrectly which prevents manual revocation (CVE-2014-5251) and that
domain-scoped tokens don't get revoked when the domain is disabled
(CVE-2014-5253). Tokens impacted by one of these bugs may allow a user
to evade token revocation. Only Keystone setups configured to use
revocation events are affected.

Juno (development branch) fix:

Icehouse fix:

These fixes will be included in the Juno-3 development milestone and are
already included in the 2014.1.2.1 release.


Tristan Cacqueray
OpenStack Vulnerability Management Team

Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.