Comment 13 for bug 1872737
Revision history for this message
| Jeremy Stanley (fungi) wrote Re: Keystone doesn't check signature TTL of the EC2 credential auth method | #13 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
67d34a1
(Get the code!)
I agree that the failure to check the TTL qualifies this as a class AS report for a vulnerability and we should go ahead with an impact description and requesting a CVE assignment (basically Keystone's not following through on one of the security measures it claims to implement). The requirement that the attacker be able to obtain a copy of the victim's token, however, seems like it presents a significant mitigating factor which reduces the risk of dealing with this report in public. How do folks feel about switching this report to a public workflow? Are tokens generally "easy" to steal in a typical deployment/