OSSA-2012-010: Various Keystone token expiration issues¶

Date:: July 27, 2012
CVE:: CVE-2012-3426

Affects¶

Keystone: Essex, Folsom

Description¶

Derek Higgins reported various issues affecting Keystone token expiration. A token expiration date can be circumvented by continuously creating new tokens before the old one has expired. Existing tokens also remain valid after a user account is disabled or after an account password changed. An authenticated and authorized user could potentially leverage those vulnerabilities to extend his access beyond the account owner expectations.

Patches¶

https://review.openstack.org/#/c/8573 (Essex)
https://review.openstack.org/#/c/8456 (Essex)
https://review.openstack.org/#/c/8454 (Essex)
https://review.openstack.org/#/c/8174 (Folsom)
https://review.openstack.org/#/c/7344 (Folsom)
https://review.openstack.org/#/c/7276 (Folsom)

Credits¶

Derek Higgins (CVE-2012-3426)

References¶

https://launchpad.net/bugs/998185
https://launchpad.net/bugs/997194
https://launchpad.net/bugs/996595
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3426

OSSA-2012-010: Various Keystone token expiration issues