[OSSA 2014-026] Domain-scoped tokens don't get revoked (CVE-2014-5253)
Bug #1349597 reported by
Brant Knudson
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
High
|
Brant Knudson | ||
Havana |
Invalid
|
High
|
Unassigned | ||
Icehouse |
Fix Released
|
High
|
Brant Knudson | ||
OpenStack Security Advisory |
Fix Released
|
High
|
Tristan Cacqueray |
Bug Description
If a domain is invalidated and that generates a revocation event, that revocation event won't match domain-scoped tokens so those tokens won't be revoked.
This is because the code to calculate the fields for a domain-scoped token don't use the domain-scope so that information can't be used when testing against the revocation events.
Changed in keystone: | |
status: | New → In Progress |
Changed in keystone: | |
importance: | Undecided → High |
tags: | added: icehouse-backport-potential |
Changed in ossa: | |
assignee: | nobody → Tristan Cacqueray (tristan-cacqueray) |
importance: | Medium → High |
Changed in keystone: | |
status: | In Progress → Fix Committed |
Changed in ossa: | |
status: | Confirmed → Triaged |
Changed in ossa: | |
status: | Triaged → In Progress |
summary: |
- Domain-scoped tokens don't get revoked + Domain-scoped tokens don't get revoked (CVE-2014-5253) |
summary: |
- Domain-scoped tokens don't get revoked (CVE-2014-5253) + [OSSA 2014-026] Domain-scoped tokens don't get revoked (CVE-2014-5253) |
Changed in ossa: | |
status: | In Progress → Fix Released |
Changed in keystone: | |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | juno-3 → 2014.2 |
To post a comment you must log in.
In this case some tokens aren't getting revoked when you'd expect them to be, so this is a security vulnerability.