OSSA-2012-014: Revoking a role does not affect existing tokens

OSSA-2012-014: Revoking a role does not affect existing tokens

Date

September 12, 2012

CVE

CVE-2012-4413

Affects

  • Keystone: Essex, Folsom

Description

Dolph Mathews reported a vulnerability in Keystone. Granting and revoking roles from a user is not reflected upon token validation for pre-existing tokens. Pre-existing tokens continue to be valid for the original set of roles for the remainder of the token’s lifespan, or until explicitly invalidated. This fix invalidates all tokens held by a user upon role grant/revoke to circumvent the issue.

Credits

  • Dolph Mathews from Rackspace (CVE-2012-4413)

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.