OSSA-2013-011: Keystone tokens not immediately invalidated when user is deleted¶

Date:: May 09, 2013
CVE:: CVE-2013-2059

Affects¶

Keystone: All versions

Description¶

Sam Stoelinga reported a vulnerability in Keystone. When users are deleted through Keystone v2 API, existing tokens for those users are not immediately invalidated and remain valid for the duration of the token’s life (by default, up to 24 hours). This may result in users retaining access when the administrator of the system thought them disabled. You can workaround this issue by disabling a user before deleting it: in that case the tokens belonging to the disabled user are immediately invalidated. Keystone setups using the v3 API call to delete users are unaffected.

Patches¶

https://review.openstack.org/#/c/28679 (Folsom)
https://review.openstack.org/#/c/28678 (Grizzly)
https://review.openstack.org/#/c/28677 (Havana)

Credits¶

Sam Stoelinga (CVE-2013-2059)

References¶

https://launchpad.net/bugs/1166670
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2059

OSSA-2013-011: Keystone tokens not immediately invalidated when user is deleted