Date: Fri, 15 Aug 2014 11:57:34 -0400 From: Tristan Cacqueray <tristan.cacqueray@...vance.com> To: oss-security@...ts.openwall.com Subject: [OSSA 2014-026] Multiple vulnerabilities in Keystone revocation events (CVE-2014-5251, CVE-2014-5252, CVE-2014-5253) OpenStack Security Advisory: 2014-026 CVE: CVE-2014-5251, CVE-2014-5252, CVE-2014-5253 Date: August 15, 2014 Title: Multiple vulnerabilities in Keystone revocation events Reporter: Lance Bragstad (Rackspace) - CVE-2014-5252 Brant Knudson (IBM) - CVE-2014-5251, CVE-2014-5253 Products: Keystone Versions: 2014.1 versions up to 2014.1.1 Description: Lance Bragstad from Rackspace and Brant Knudson from IBM reported 3 vulnerabilities in Keystone revocation events. Lance Bragstad discovered that UUID v2 tokens processed by the V3 API are incorrectly updated and get their "issued_at" time regenerated (CVE-2014-5252). Brant Knudson discovered that the MySQL token driver stores expiration dates incorrectly which prevents manual revocation (CVE-2014-5251) and that domain-scoped tokens don't get revoked when the domain is disabled (CVE-2014-5253). Tokens impacted by one of these bugs may allow a user to evade token revocation. Only Keystone setups configured to use revocation events are affected. Juno (development branch) fix: https://review.openstack.org/111106 https://review.openstack.org/109747 https://review.openstack.org/109819 https://review.openstack.org/109820 Icehouse fix: https://review.openstack.org/112087 https://review.openstack.org/111772 https://review.openstack.org/112083 https://review.openstack.org/112084 Notes: These fixes will be included in the Juno-3 development milestone and are already included in the 2014.1.2.1 release. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5251 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5252 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5253 https://launchpad.net/bugs/1347961 https://launchpad.net/bugs/1348820 https://launchpad.net/bugs/1349597 -- Tristan Cacqueray OpenStack Vulnerability Management Team Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.