[OSSA-2016-005] Potential reuse of revoked Identity tokens (CVE-2015-7546)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mirantis OpenStack |
Invalid
|
High
|
MOS Keystone | ||
5.1.x |
Won't Fix
|
High
|
Denis Meltsaykin | ||
6.0.x |
Fix Released
|
High
|
Denis Meltsaykin | ||
6.1.x |
Fix Released
|
High
|
Denis Meltsaykin | ||
7.0.x |
Fix Released
|
High
|
Denis Meltsaykin |
Bug Description
Problem description:
By manipulating a token
content, an authenticated user may prevent its revocation. This can allow
unauthorized access to cloud resources if a revoked token is
intercepted by an attacker. Only keystone setups using PKI or PKIZ token
are affected
Upstream bug report:
https:/
Upstream patches:
mitaka:
https:/
https:/
liberty:
https:/
https:/
kilo:
https:/
https:/
References:
https:/
CVE References
Changed in mos: | |
importance: | Undecided → High |
milestone: | none → 8.0 |
status: | New → Invalid |
assignee: | MOS Maintenance (mos-maintenance) → MOS Keystone (mos-keystone) |
information type: | Private Security → Public Security |
tags: | added: on-verification |
tags: | added: on-verification |
tags: | removed: on-verification |
tags: | added: on-verification |
Closing this as Won't Fix for 5.1.1-updates, as icehouse's keystone doesn't support audit_ids which are the basis of the fix.