OSSA-2016-005: Potential reuse of revoked Identity tokens

OSSA-2016-005: Potential reuse of revoked Identity tokens

Date

January 29, 2016

CVE

CVE-2015-7546

Affects

  • Keystone: <= 2015.1.2, >= 8.0.0 <= 8.0.1

  • Keystonemiddleware: >= 1.5.0 <= 1.5.3, >= 1.6.0 <= 2.3.2

Description

Liu Sheng reported a vulnerability in Keystone. By manipulating a token content, an authenticated user may prevent its revocation. This can allow unauthorized access to cloud resources if a revoked token is intercepted by an attacker. Only keystone setups using PKI or PKIZ token are affected

Patches

Credits

  • Liu Sheng from Huawei (CVE-2015-7546)

Notes

  • The keystone fix is included in 2015.1.3 (Kilo) and will be included in a future 8.0.2 (Liberty) releases.

  • The keystonemiddleware fix will be included in future 1.5.4 (Kilo) and 2.3.3 (Liberty) releases.

  • Both keystone and keystonemiddleware needs to be updated

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.