2017-04-07 17:09:32 |
Richard |
bug |
|
|
added bug |
2017-04-07 18:02:50 |
Jeremy Stanley |
description |
If you create an unscoped token (A) and you then use token A to
create a project-scoped token (B) you now have
token (A) [audit_id] = audit_id_a
token (A) [audit_chain_id] = [audit_id_a]
token (B) [audit_id] = audit_id_b
token (B) [audit_chain_id] = [audit_id_a, audit_id_b]
If you Revoke(token A) then token B should also be invalid.
However, this is not the case currently as there are two reasons
for this.
There is a bug that doesn't correctly catch this in revoke_models
because it accidently changes a list to a list in a tuple:
https://github.com/openstack/keystone/blob/master/keystone/models/revoke_model.py#L200-L201
This needs to have the comma removed from
not in (token_values['audit_chain_id'],) to not in (token_values['audit_chain_id'])
The second and main reason is because this functionality is never exposed to the user
and in the code it is never run here:
https://github.com/openstack/keystone/blob/master/keystone/token/provider.py#L255-L277
because revoke_chain=False in the parameter is never set to True in a call anywhere in
the code. |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments.
If you create an unscoped token (A) and you then use token A to
create a project-scoped token (B) you now have
token (A) [audit_id] = audit_id_a
token (A) [audit_chain_id] = [audit_id_a]
token (B) [audit_id] = audit_id_b
token (B) [audit_chain_id] = [audit_id_a, audit_id_b]
If you Revoke(token A) then token B should also be invalid.
However, this is not the case currently as there are two reasons
for this.
There is a bug that doesn't correctly catch this in revoke_models
because it accidently changes a list to a list in a tuple:
https://github.com/openstack/keystone/blob/master/keystone/models/revoke_model.py#L200-L201
This needs to have the comma removed from
not in (token_values['audit_chain_id'],) to not in (token_values['audit_chain_id'])
The second and main reason is because this functionality is never exposed to the user
and in the code it is never run here:
https://github.com/openstack/keystone/blob/master/keystone/token/provider.py#L255-L277
because revoke_chain=False in the parameter is never set to True in a call anywhere in
the code. |
|
2017-04-07 18:03:02 |
Jeremy Stanley |
bug task added |
|
ossa |
|
2017-04-07 18:03:49 |
Jeremy Stanley |
ossa: status |
New |
Incomplete |
|
2017-04-07 18:04:13 |
Jeremy Stanley |
bug |
|
|
added subscriber Keystone Core security contacts |
2017-08-15 04:05:05 |
Tristan Cacqueray |
bug |
|
|
added subscriber OSSG CoreSec |
2018-01-08 20:34:29 |
Lance Bragstad |
keystone: importance |
Undecided |
Medium |
|
2018-01-08 20:34:34 |
Lance Bragstad |
keystone: status |
New |
Triaged |
|
2018-01-08 20:47:18 |
Jeremy Stanley |
description |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments.
If you create an unscoped token (A) and you then use token A to
create a project-scoped token (B) you now have
token (A) [audit_id] = audit_id_a
token (A) [audit_chain_id] = [audit_id_a]
token (B) [audit_id] = audit_id_b
token (B) [audit_chain_id] = [audit_id_a, audit_id_b]
If you Revoke(token A) then token B should also be invalid.
However, this is not the case currently as there are two reasons
for this.
There is a bug that doesn't correctly catch this in revoke_models
because it accidently changes a list to a list in a tuple:
https://github.com/openstack/keystone/blob/master/keystone/models/revoke_model.py#L200-L201
This needs to have the comma removed from
not in (token_values['audit_chain_id'],) to not in (token_values['audit_chain_id'])
The second and main reason is because this functionality is never exposed to the user
and in the code it is never run here:
https://github.com/openstack/keystone/blob/master/keystone/token/provider.py#L255-L277
because revoke_chain=False in the parameter is never set to True in a call anywhere in
the code. |
If you create an unscoped token (A) and you then use token A to
create a project-scoped token (B) you now have
token (A) [audit_id] = audit_id_a
token (A) [audit_chain_id] = [audit_id_a]
token (B) [audit_id] = audit_id_b
token (B) [audit_chain_id] = [audit_id_a, audit_id_b]
If you Revoke(token A) then token B should also be invalid.
However, this is not the case currently as there are two reasons
for this.
There is a bug that doesn't correctly catch this in revoke_models
because it accidently changes a list to a list in a tuple:
https://github.com/openstack/keystone/blob/master/keystone/models/revoke_model.py#L200-L201
This needs to have the comma removed from
not in (token_values['audit_chain_id'],) to not in (token_values['audit_chain_id'])
The second and main reason is because this functionality is never exposed to the user
and in the code it is never run here:
https://github.com/openstack/keystone/blob/master/keystone/token/provider.py#L255-L277
because revoke_chain=False in the parameter is never set to True in a call anywhere in
the code. |
|
2018-01-08 20:47:54 |
Jeremy Stanley |
information type |
Private Security |
Public |
|
2018-01-08 20:48:04 |
Jeremy Stanley |
ossa: status |
Incomplete |
Won't Fix |
|
2018-01-08 20:48:16 |
Jeremy Stanley |
tags |
|
security |
|
2018-10-24 17:32:51 |
Morgan Fainberg |
keystone: status |
Triaged |
Won't Fix |
|