| 2015-09-01 03:08:48 |
Liusheng |
bug |
|
|
added bug |
| 2015-09-01 11:49:07 |
Tristan Cacqueray |
bug task added |
|
ossa |
|
| 2015-09-01 11:49:13 |
Tristan Cacqueray |
ossa: status |
New |
Incomplete |
|
| 2015-09-01 12:00:26 |
Tristan Cacqueray |
bug |
|
|
added subscriber Keystone Core security contacts |
| 2015-09-01 12:44:00 |
Jeremy Stanley |
description |
A keystone token which has been revoked can still be used by manipulating particular byte fields within the token.
When a Keystone token is revoked it is added to the revoked list which stores the exact token value. Any API will look at the token to see whether or not it should accept a token. By changing a single byte within the token, the revocation can be bypassed. see the testing script [1].
It is suggested that the revocation should be changed to only check the token's inner ID.
[1] http://paste.openstack.org/show/436516/ |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments.
A keystone token which has been revoked can still be used by manipulating particular byte fields within the token.
When a Keystone token is revoked it is added to the revoked list which stores the exact token value. Any API will look at the token to see whether or not it should accept a token. By changing a single byte within the token, the revocation can be bypassed. see the testing script [1].
It is suggested that the revocation should be changed to only check the token's inner ID.
[1] http://paste.openstack.org/show/436516/ |
|
| 2015-09-01 16:36:45 |
Dolph Mathews |
keystone: importance |
Undecided |
High |
|
| 2015-09-02 00:49:30 |
Liusheng |
summary |
Token Revocation Bypass |
PKI Token Revocation Bypass |
|
| 2015-09-02 04:45:56 |
Adam Young |
keystone: assignee |
|
Adam Young (ayoung) |
|
| 2015-09-02 06:21:42 |
Adam Young |
attachment added |
|
modify_token.py https://bugs.launchpad.net/keystone/+bug/1490804/+attachment/4455970/+files/modify_token.py |
|
| 2015-09-02 06:22:29 |
Adam Young |
attachment added |
|
derdump of Token data in ASN1 format https://bugs.launchpad.net/keystone/+bug/1490804/+attachment/4455971/+files/tokendata |
|
| 2015-09-02 13:54:27 |
Dolph Mathews |
attachment added |
|
bug-1490804-tests-master-v1.patch https://bugs.launchpad.net/keystone/+bug/1490804/+attachment/4456156/+files/bug-1490804-tests-master-v1.patch |
|
| 2015-09-02 16:24:46 |
Morgan Fainberg |
bug task added |
|
keystonemiddleware |
|
| 2015-09-02 16:24:58 |
Morgan Fainberg |
keystonemiddleware: status |
New |
Confirmed |
|
| 2015-09-02 16:25:06 |
Morgan Fainberg |
keystonemiddleware: status |
Confirmed |
New |
|
| 2015-09-02 16:25:09 |
Morgan Fainberg |
keystonemiddleware: importance |
Undecided |
Critical |
|
| 2015-09-02 16:25:11 |
Morgan Fainberg |
keystonemiddleware: importance |
Critical |
High |
|
| 2015-09-02 16:25:30 |
Morgan Fainberg |
keystonemiddleware: assignee |
|
Adam Young (ayoung) |
|
| 2015-09-02 16:25:44 |
Morgan Fainberg |
keystone: status |
New |
Invalid |
|
| 2015-09-02 16:25:50 |
Morgan Fainberg |
keystone: assignee |
Adam Young (ayoung) |
|
|
| 2015-09-02 16:26:23 |
Morgan Fainberg |
keystone: status |
Invalid |
New |
|
| 2015-09-02 16:26:39 |
Morgan Fainberg |
keystone: assignee |
|
Adam Young (ayoung) |
|
| 2015-09-03 04:24:28 |
Adam Young |
attachment added |
|
0001-Reject-modified-PKI-Tokens.patch https://bugs.launchpad.net/keystone/+bug/1490804/+attachment/4456676/+files/0001-Reject-modified-PKI-Tokens.patch |
|
| 2015-09-03 06:23:36 |
Adam Young |
attachment added |
|
0001-hash-the-data-in-the-token.patch https://bugs.launchpad.net/keystone/+bug/1490804/+attachment/4456711/+files/0001-hash-the-data-in-the-token.patch |
|
| 2015-09-03 17:06:28 |
Adam Young |
bug |
|
|
added subscriber Nathan Kinder |
| 2015-09-03 17:07:13 |
Adam Young |
bug task added |
|
python-keystoneclient |
|
| 2015-09-03 17:07:32 |
Adam Young |
python-keystoneclient: assignee |
|
Adam Young (ayoung) |
|
| 2015-09-03 17:10:08 |
Adam Young |
attachment added |
|
0001-Use-the-Keystoneclient-code-to-hash-the-token.patch https://bugs.launchpad.net/python-keystoneclient/+bug/1490804/+attachment/4456923/+files/0001-Use-the-Keystoneclient-code-to-hash-the-token.patch |
|
| 2015-09-03 18:03:57 |
Adam Young |
bug task added |
|
django-openstack-auth |
|
| 2015-09-03 18:17:55 |
Adam Young |
bug |
|
|
added subscriber Christina Darretta |
| 2015-09-04 14:30:48 |
Adam Young |
django-openstack-auth: assignee |
|
Adam Young (ayoung) |
|
| 2015-09-10 14:17:00 |
Adam Young |
bug |
|
|
added subscriber OSSG CoreSec |
| 2015-09-10 17:28:09 |
Morgan Fainberg |
django-openstack-auth: status |
New |
Invalid |
|
| 2015-09-11 16:50:00 |
Adam Young |
keystone: status |
New |
Confirmed |
|
| 2015-09-11 16:50:07 |
Adam Young |
keystone: status |
Confirmed |
Triaged |
|
| 2015-09-11 16:50:14 |
Adam Young |
keystonemiddleware: status |
New |
Triaged |
|
| 2015-09-11 16:50:17 |
Adam Young |
python-keystoneclient: status |
New |
Triaged |
|
| 2015-09-21 02:32:24 |
Liusheng |
attachment added |
|
bug1490804-patch-test-traceback.txt https://bugs.launchpad.net/python-keystoneclient/+bug/1490804/+attachment/4469888/+files/bug1490804-patch-test-traceback.txt |
|
| 2015-09-21 14:59:06 |
Tristan Cacqueray |
bug task added |
|
ossn |
|
| 2015-10-29 08:39:37 |
Adam Young |
attachment added |
|
0001-Disable-PKI-token-Provider.patch https://bugs.launchpad.net/keystone/+bug/1490804/+attachment/4508239/+files/0001-Disable-PKI-token-Provider.patch |
|
| 2015-11-02 15:49:17 |
Tristan Cacqueray |
ossn: importance |
Undecided |
Critical |
|
| 2015-11-12 17:02:20 |
Nathan Kinder |
ossn: assignee |
|
Nathan Kinder (nkinder) |
|
| 2015-11-19 23:15:54 |
Adam Young |
keystone: status |
Triaged |
Won't Fix |
|
| 2015-11-19 23:16:35 |
Adam Young |
keystonemiddleware: status |
Triaged |
Won't Fix |
|
| 2015-11-19 23:16:51 |
Adam Young |
python-keystoneclient: status |
Triaged |
Won't Fix |
|
| 2015-12-01 22:10:38 |
Brant Knudson |
attachment added |
|
0001-Add-audit-IDs-to-revocation-events.patch https://bugs.launchpad.net/keystone/+bug/1490804/+attachment/4528257/+files/0001-Add-audit-IDs-to-revocation-events.patch |
|
| 2015-12-01 22:11:22 |
Brant Knudson |
attachment added |
|
0001-Verify-audit_id-when-available.patch https://bugs.launchpad.net/keystone/+bug/1490804/+attachment/4528258/+files/0001-Verify-audit_id-when-available.patch |
|
| 2015-12-10 20:38:56 |
Tristan Cacqueray |
summary |
PKI Token Revocation Bypass |
PKI Token Revocation Bypass (CVE-2015-7546) |
|
| 2015-12-10 20:39:01 |
Tristan Cacqueray |
cve linked |
|
2015-7546 |
|
| 2015-12-15 15:05:54 |
Tristan Cacqueray |
information type |
Private Security |
Public Security |
|
| 2015-12-15 15:09:42 |
Tristan Cacqueray |
description |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments.
A keystone token which has been revoked can still be used by manipulating particular byte fields within the token.
When a Keystone token is revoked it is added to the revoked list which stores the exact token value. Any API will look at the token to see whether or not it should accept a token. By changing a single byte within the token, the revocation can be bypassed. see the testing script [1].
It is suggested that the revocation should be changed to only check the token's inner ID.
[1] http://paste.openstack.org/show/436516/ |
A keystone token which has been revoked can still be used by manipulating particular byte fields within the token.
When a Keystone token is revoked it is added to the revoked list which stores the exact token value. Any API will look at the token to see whether or not it should accept a token. By changing a single byte within the token, the revocation can be bypassed. see the testing script [1].
It is suggested that the revocation should be changed to only check the token's inner ID.
[1] http://paste.openstack.org/show/436516/ |
|
| 2015-12-15 20:48:37 |
OpenStack Infra |
keystone: status |
Won't Fix |
In Progress |
|
| 2015-12-15 20:48:37 |
OpenStack Infra |
keystone: assignee |
Adam Young (ayoung) |
Brant Knudson (blk-u) |
|
| 2015-12-15 20:49:38 |
OpenStack Infra |
keystonemiddleware: status |
Won't Fix |
In Progress |
|
| 2015-12-15 20:49:38 |
OpenStack Infra |
keystonemiddleware: assignee |
Adam Young (ayoung) |
Brant Knudson (blk-u) |
|
| 2015-12-15 23:16:16 |
Steve Martinelli |
keystone: milestone |
|
mitaka-2 |
|
| 2015-12-16 02:01:47 |
Nathan Kinder |
ossn: status |
New |
Fix Released |
|
| 2015-12-17 16:24:32 |
Brant Knudson |
tags |
|
kilo-backport-potential liberty-backport-potential |
|
| 2016-01-05 19:58:00 |
Tristan Cacqueray |
ossa: status |
Incomplete |
Confirmed |
|
| 2016-01-09 03:29:35 |
OpenStack Infra |
keystone: status |
In Progress |
Fix Released |
|
| 2016-01-11 19:46:07 |
OpenStack Infra |
keystonemiddleware: status |
In Progress |
Fix Released |
|
| 2016-01-14 02:22:46 |
OpenStack Infra |
tags |
kilo-backport-potential liberty-backport-potential |
in-stable-kilo kilo-backport-potential liberty-backport-potential |
|
| 2016-01-14 12:56:48 |
OpenStack Infra |
tags |
in-stable-kilo kilo-backport-potential liberty-backport-potential |
in-stable-kilo in-stable-liberty kilo-backport-potential liberty-backport-potential |
|
| 2016-01-21 20:25:15 |
Dave Walker |
nominated for series |
|
keystone/kilo |
|
| 2016-01-21 20:25:15 |
Dave Walker |
bug task added |
|
keystone/kilo |
|
| 2016-01-21 20:26:01 |
Dave Walker |
keystone/kilo: status |
New |
Fix Committed |
|
| 2016-01-21 20:26:01 |
Dave Walker |
keystone/kilo: milestone |
|
2015.1.3 |
|
| 2016-01-21 20:47:22 |
Tristan Cacqueray |
keystone/kilo: status |
Fix Committed |
In Progress |
|
| 2016-01-25 09:42:28 |
OpenStack Infra |
keystone/kilo: status |
In Progress |
Fix Committed |
|
| 2016-01-29 19:41:06 |
Tristan Cacqueray |
summary |
PKI Token Revocation Bypass (CVE-2015-7546) |
[OSSA 2015-006] PKI Token Revocation Bypass (CVE-2015-7546) |
|
| 2016-01-29 19:46:40 |
Tristan Cacqueray |
summary |
[OSSA 2015-006] PKI Token Revocation Bypass (CVE-2015-7546) |
[OSSA 2015-005] PKI Token Revocation Bypass (CVE-2015-7546) |
|
| 2016-01-29 19:46:43 |
Tristan Cacqueray |
ossa: status |
Confirmed |
Fix Released |
|
| 2016-01-29 19:46:49 |
Tristan Cacqueray |
summary |
[OSSA 2015-005] PKI Token Revocation Bypass (CVE-2015-7546) |
[OSSA 2016-005] PKI Token Revocation Bypass (CVE-2015-7546) |
|
| 2016-02-02 20:20:17 |
Morgan Fainberg |
keystone/kilo: importance |
Undecided |
High |
|
| 2017-01-17 19:50:55 |
Morgan Fainberg |
keystone/kilo: status |
Fix Committed |
Fix Released |
|
