[OSSA 2014-026] Token issued_at time changes on /v3/auth/token GET requests (CVE-2014-5252)
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Identity (keystone) |
Fix Released
|
High
|
Brant Knudson | ||
| Icehouse |
Fix Released
|
High
|
Brant Knudson | ||
| OpenStack Security Advisory |
Fix Released
|
High
|
Tristan Cacqueray | ||
Bug Description
Steps to recreate
1.) Generate a v2.0
token http://
2.) Pull token from the body of the response and use the /v3/auth/tokens/ GET api call to verify the token
http://
Notice that the 'issued_at' time of the token has changed.
3.) Repeat step 2 and notice that the 'issued_at' time of the same token changes again.
http://
The 'issued_at' time of a token should not change when validating the token using /v3/auth/token GET api call.
This is because the issued_at time is being overwritten on GET here: https:/
This seems like it has been written strictly for POSTs? In the case of POST, the issued_at time needs to be generated, in the case of HEAD or GET, the issued_at time should already exist.
| description: | updated |
| description: | updated |
| Changed in keystone: | |
| importance: | Undecided → Medium |
| Changed in keystone: | |
| assignee: | Lance Bragstad (lbragstad) → Brant Knudson (blk-u) |
| Changed in ossa: | |
| assignee: | nobody → Tristan Cacqueray (tristan-cacqueray) |
| Changed in ossa: | |
| status: | Confirmed → Triaged |
| Changed in ossa: | |
| status: | Triaged → In Progress |
| summary: |
Token issued_at time changes on /v3/auth/token GET requests + (CVE-2014-5252) |
| summary: |
- Token issued_at time changes on /v3/auth/token GET requests - (CVE-2014-5252) + [OSSA 2014-026] Token issued_at time changes on /v3/auth/token GET + requests (CVE-2014-5252) |
| Changed in ossa: | |
| status: | In Progress → Fix Released |
| Changed in keystone: | |
| status: | Fix Committed → Fix Released |
| Changed in keystone: | |
| milestone: | juno-3 → 2014.2 |

Fix proposed to branch: master /review. openstack. org/109747
Review: https:/