OSSA-2013-009: Keystone PKI tokens online validation bypasses revocation check

OSSA-2013-009: Keystone PKI tokens online validation bypasses revocation check

Date:March 20, 2013
CVE:CVE-2013-1865

Affects

  • Keystone: Folsom

Description

Guang Yee from HP reported a vulnerability in the revocation check for Keystone PKI tokens. Those tokens are supposed to be validated locally using cryptographic checks, but the user also has the option of asking the server to validate them. In that case, the online verification of PKI tokens would bypass the revocation check, potentially affirming revocated tokens are still valid. Only Folsom setups making use of online verification of PKI tokens are affected.

Credits

  • Guang Yee from HP (CVE-2013-1865)
Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.