OSSA-2013-025: Token revocation failure using Keystone memcache/KVS backends¶

Date:: September 11, 2013
CVE:: CVE-2013-4294

Affects¶

Keystone: Folsom, Grizzly

Description¶

Kieran Spear from the University of Melbourne reported a vulnerability in Keystone memcache and KVS token backends. The PKI token revocation lists stored the entire token instead of the token ID, triggering comparison failures, ultimately resulting in revoked PKI tokens still being considered valid. Only Folsom and Grizzly Keystone setups making use of PKI tokens with the memcache or KVS token backends are affected. Havana setups, setups using UUID tokens, or setups using PKI tokens with the SQL token backend are all unaffected.

Patches¶

https://review.openstack.org/#/c/46080 (Folsom)
https://review.openstack.org/#/c/46079 (Grizzly)

Credits¶

Kieran Spear from University of Melbourne (CVE-2013-4294)

References¶

https://launchpad.net/bugs/1202952
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4294

OSSA-2013-025: Token revocation failure using Keystone memcache/KVS backends