OSSA-2016-008: Incorrect Audit IDs in Keystone Fernet Tokens can result in revocation bypass

OSSA-2016-008: Incorrect Audit IDs in Keystone Fernet Tokens can result in revocation bypass¶

Date:: May 23, 2016
CVE:: CVE-2016-4911

Affects¶

Keystone: ==9.0.0

Description¶

Lance Bragstad (Rackspace) reported a vulnerability in the Keystone Fernet Token Provider. By rescoping a token a user will receive a new token without correct audit_ids, these incorrect audit_ids will prevent the entire chain of tokens from being revoked properly. This vulnerability does not impact revoking a token by its individual audit_id. Only deployments with Keystone configured to use Fernet tokens are impacted.

Patches¶

https://review.openstack.org/#/c/312582/ (Mitaka)
https://review.openstack.org/#/c/311886/ (Newton)

Credits¶

Lance Bragstad from Rackspace (CVE-2016-4911)

References¶

Notes¶

This fix was included in the openstack/keystone 9.0.1 (mitaka) release.

this page last updated: 2024-03-18 15:52:07

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.