OSSA-2016-005: Potential reuse of revoked Identity tokens

Date

January 29, 2016

CVE

CVE-2015-7546

Affects

  • Keystone: <= 2015.1.2, >= 8.0.0 <= 8.0.1

  • Keystonemiddleware: >= 1.5.0 <= 1.5.3, >= 1.6.0 <= 2.3.2

Description

Liu Sheng reported a vulnerability in Keystone. By manipulating a token content, an authenticated user may prevent its revocation. This can allow unauthorized access to cloud resources if a revoked token is intercepted by an attacker. Only keystone setups using PKI or PKIZ token are affected

Patches

Credits

  • Liu Sheng from Huawei (CVE-2015-7546)

Notes

  • The keystone fix is included in 2015.1.3 (Kilo) and will be included in a future 8.0.2 (Liberty) releases.

  • The keystonemiddleware fix will be included in future 1.5.4 (Kilo) and 2.3.3 (Liberty) releases.

  • Both keystone and keystonemiddleware needs to be updated