Date: Wed, 1 Jun 2016 17:25:02 -0700 From: morgan fainberg <morgan.fainberg@...il.com> To: oss-security@...ts.openwall.com Subject: [OSSA-2016-008] Incorrect Audit IDs in Keystone Fernet Tokens can result in revocation bypass (CVE-2016-4911) ============================================================================================ OSSA-2016-008: Incorrect Audit IDs in Keystone Fernet Tokens can result in revocation bypass ============================================================================================ :Date: May 23, 2016 :CVE: CVE-2016-4911 Affects ~~~~~~~ - Keystone: ==9.0.0 Description ~~~~~~~~~~~ Lance Bragstad (Rackspace) reported a vulnerability in the Keystone Fernet Token Provider. By rescoping a token a user will receive a new token without correct audit_ids, these incorrect audit_ids will prevent the entire chain of tokens from being revoked properly. This vulnerability does not impact revoking a token by its individual audit_id. Only deployments with Keystone configured to use Fernet tokens are impacted. Patches ~~~~~~~ - https://review.openstack.org/#/c/312582/ (Mitaka) - https://review.openstack.org/#/c/311886/ (Newton) Credits ~~~~~~~ - Lance Bragstad from Rackspace (CVE-2016-4911) References ~~~~~~~~~~ - https://bugs.launchpad.net/bugs/1577558 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4911 Notes ~~~~~ - This fix was included in the openstack/keystone 9.0.1 (mitaka) release. -- Morgan Fainberg OpenStack Vulnerability Management Team Download attachment "signature.asc" of type "application/pgp-signature" (843 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.