[OSSA 2014-026] Domain-scoped tokens don't get revoked (CVE-2014-5253)
Bug #1349597 reported by
Brant Knudson
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Identity (keystone) |
Fix Released
|
High
|
Brant Knudson | ||
| Havana |
Invalid
|
High
|
Unassigned | ||
| Icehouse |
Fix Released
|
High
|
Brant Knudson | ||
| OpenStack Security Advisory |
Fix Released
|
High
|
Tristan Cacqueray | ||
Bug Description
If a domain is invalidated and that generates a revocation event, that revocation event won't match domain-scoped tokens so those tokens won't be revoked.
This is because the code to calculate the fields for a domain-scoped token don't use the domain-scope so that information can't be used when testing against the revocation events.
| Changed in keystone: | |
| status: | New → In Progress |
| Changed in keystone: | |
| importance: | Undecided → High |
| tags: | added: icehouse-backport-potential |
| Changed in ossa: | |
| assignee: | nobody → Tristan Cacqueray (tristan-cacqueray) |
| importance: | Medium → High |
| Changed in keystone: | |
| status: | In Progress → Fix Committed |
| Changed in ossa: | |
| status: | Confirmed → Triaged |
| Changed in ossa: | |
| status: | Triaged → In Progress |
| summary: |
- Domain-scoped tokens don't get revoked + Domain-scoped tokens don't get revoked (CVE-2014-5253) |
| summary: |
- Domain-scoped tokens don't get revoked (CVE-2014-5253) + [OSSA 2014-026] Domain-scoped tokens don't get revoked (CVE-2014-5253) |
| Changed in ossa: | |
| status: | In Progress → Fix Released |
| Changed in keystone: | |
| status: | Fix Committed → Fix Released |
| Changed in keystone: | |
| milestone: | juno-3 → 2014.2 |
To post a comment you must log in.

In this case some tokens aren't getting revoked when you'd expect them to be, so this is a security vulnerability.