OSSA-2016-005: Potential reuse of revoked Identity tokens

OSSA-2016-005: Potential reuse of revoked Identity tokens

Date:January 29, 2016


  • Keystone: <= 2015.1.2, >= 8.0.0 <= 8.0.1
  • Keystonemiddleware: >= 1.5.0 <= 1.5.3, >= 1.6.0 <= 2.3.2


Liu Sheng reported a vulnerability in Keystone. By manipulating a token content, an authenticated user may prevent its revocation. This can allow unauthorized access to cloud resources if a revoked token is intercepted by an attacker. Only keystone setups using PKI or PKIZ token are affected



  • Liu Sheng from Huawei (CVE-2015-7546)


  • The keystone fix is included in 2015.1.3 (Kilo) and will be included in a future 8.0.2 (Liberty) releases.
  • The keystonemiddleware fix will be included in future 1.5.4 (Kilo) and 2.3.3 (Liberty) releases.
  • Both keystone and keystonemiddleware needs to be updated
Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.