Mirantis OpenStack

[OSSA-2016-005] Potential reuse of revoked Identity tokens (CVE-2015-7546)

Bug #1542152 reported by Adam Heczko
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mirantis OpenStack
Invalid
High
MOS Keystone
Mirantis OpenStack 8.0
5.1.x
Won't Fix
High
Denis Meltsaykin
Mirantis OpenStack 5.1.1-updates
6.0.x
Fix Released
High
Denis Meltsaykin
Mirantis OpenStack 6.0-mu-8
6.1.x
Fix Released
High
Denis Meltsaykin
Mirantis OpenStack 6.1-mu-5
7.0.x
Fix Released
High
Denis Meltsaykin
Mirantis OpenStack 7.0-mu-3

Bug Description

Problem description:
By manipulating a token
 content, an authenticated user may prevent its revocation. This can allow
 unauthorized access to cloud resources if a revoked token is
 intercepted by an attacker. Only keystone setups using PKI or PKIZ token
 are affected

Upstream bug report:
https://bugs.launchpad.net/bugs/1490804

Upstream patches:
mitaka:
 https://review.openstack.org/258141 (keystone)
 https://review.openstack.org/258143 (keystonemiddleware)

liberty:
https://review.openstack.org/266022 (keystone)
https://review.openstack.org/265988 (keystonemiddleware)

kilo:
https://review.openstack.org/266045 (keystone)
https://review.openstack.org/266607 (keystonemiddleware)

References:
https://wiki.openstack.org/wiki/OSSN/OSSN-0062

CVE References

Adam Heczko (aheczko-mirantis)
Changed in mos:
importance: Undecided → High
milestone: none → 8.0
status: New → Invalid
assignee: MOS Maintenance (mos-maintenance) → MOS Keystone (mos-keystone)
Revision history for this message
Denis Meltsaykin (dmeltsaykin) wrote :

Closing this as Won't Fix for 5.1.1-updates, as icehouse's keystone doesn't support audit_ids which are the basis of the fix.

Revision history for this message
Denis Meltsaykin (dmeltsaykin) wrote :

All the fixes are on review: https://review.fuel-infra.org/#/q/topic:bug/1542152 (TBD)

Vitaly Sedelnik (vsedelnik)
information type: Private Security → Public Security
Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Fix proposed to openstack/keystonemiddleware (openstack-ci/fuel-7.0/2015.1.0)

Fix proposed to branch: openstack-ci/fuel-7.0/2015.1.0
Change author: Brant Knudson <email address hidden>
Review: https://review.fuel-infra.org/17732

Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Fix merged to openstack/keystonemiddleware (openstack-ci/fuel-7.0/2015.1.0)

Reviewed: https://review.fuel-infra.org/17732
Submitter: Vitaly Sedelnik <email address hidden>
Branch: openstack-ci/fuel-7.0/2015.1.0

Commit: aa32968e2b67559e6faa52db8df0f49bdd9df419
Author: Brant Knudson <email address hidden>
Date: Thu Mar 3 14:27:41 2016

auth_token verify revocation by audit_id

If the revocation list includes audit_ids, then when doing offline
validation also validate the token isn't revoked by audit_id.

Backport notes:
- test_auth_token_middleware was refactored with commit 9cbd47b to
  check responses differently, so the test changed to use the old
  method.
- reno was not supported so the release note is removed.

Closes-Bug: #1542152
Conflicts:
 keystonemiddleware/auth_token/__init__.py

(cherry picked from commit 70eeda3e06f5422aa953a38fe93d302079d7cc21)
Change-Id: Ifcf88f1158bebddc4f927121fbf4136fb53b659f

Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Fix merged to openstack/keystone (openstack-ci/fuel-7.0/2015.1.0)

Reviewed: https://review.fuel-infra.org/16847
Submitter: Denis V. Meltsaykin <email address hidden>
Branch: openstack-ci/fuel-7.0/2015.1.0

Commit: a8a0158bb53899dd82923bb9bf96ac2d102d4716
Author: Brant Knudson <email address hidden>
Date: Fri Mar 4 13:20:17 2016

Add audit IDs to revocation events

The revoked tokens' audit ID is now included in the data returned in
the revocation list.

Closes-Bug: #1542152
Change-Id: Ifcf88f1158bebddc4f927121fbf4136fb53b659f
(cherry picked from commit 9c9c1331e0c004897d5f4c5847f7143b56373f10)

Vadim Rovachev (vrovachev)
tags: added: on-verification
Revision history for this message
Vadim Rovachev (vrovachev) wrote :

script - http://paste.openstack.org/show/490927/
verified on 6.1 ubuntu

tags: removed: on-verification
Alexander Gromov (agromov)
tags: added: on-verification
Alexander Gromov (agromov)
tags: removed: on-verification
Dmitry (dtsapikov)
tags: added: on-verification
Revision history for this message
Dmitry (dtsapikov) wrote :

Verified on 7.0+mu3

tags: removed: on-verification
Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Change abandoned on openstack/keystonemiddleware (openstack-ci/fuel-6.1/2014.2)

Change abandoned by Denis V. Meltsaykin <email address hidden> on branch: openstack-ci/fuel-6.1/2014.2
Review: https://review.fuel-infra.org/17006

Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Change abandoned on openstack/python-keystoneclient (openstack-ci/fuel-6.0-updates/2014.2)

Change abandoned by Denis V. Meltsaykin <email address hidden> on branch: openstack-ci/fuel-6.0-updates/2014.2
Review: https://review.fuel-infra.org/16943

Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Change abandoned on openstack/keystone (openstack-ci/fuel-5.1.1-updates/2014.1.1)

Change abandoned by Denis V. Meltsaykin <email address hidden> on branch: openstack-ci/fuel-5.1.1-updates/2014.1.1
Review: https://review.fuel-infra.org/16868
Reason: This fix doesn't fit.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.