OSSA-2013-014: Missing expiration check in Keystone PKI tokens validation

OSSA-2013-014: Missing expiration check in Keystone PKI tokens validation

Date

May 28, 2013

CVE

CVE-2013-2104

Affects

  • Keystone: Folsom

  • Python-keystoneclient: Versions after 0.2.0

Description

Eoghan Glynn from Red Hat and Alex Meade from Rackspace both reported a vulnerability in expiry checks for PKI tokens in the Keystone authentication middleware. Expired tokens for authenticated users could continue to be used, potentially resulting in the bypass of intended security policies. The effect of PKI token revocation is also reversed when the token expires, in the sense that a revoked token is once again treated as being valid. Only setups using PKI tokens are affected.

Credits

  • Eoghan Glynn from Red Hat (CVE-2013-2104)

  • Alex Meade from Rackspace (CVE-2013-2104)

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.