Openstack: Application credential token remains valid longer than expected (CVE-2022-2447)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
High
|
David Wilde | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
David Wilde |
Bug Description
Description of problem:
Keystone issues tokens with the default lifespan regardless of the lifespan of the application credentials used to issue them.
If the configured lifespan of an identity token is set to be 1h, and the application credentials expire in 1 minute from now, a newly issued token will outlive the application credentials used to issue it by 59 minutes.
How reproducible: 100%
Steps to Reproduce:
1. Create application credentials with short expiration time (e.g. 10 seconds)
2. openstack token issue
--> the returned token has standard expiration, for example 1 hour. The script below confirms that the token continue being valid after the application credentials expired.
```bash
#!/usr/bin/env bash
set -Eeuo pipefail
openstack image create --disk-format=raw --container-
image_url=
openstack application credential create \
--expiration=
token_test \
-f json \
> appcreds.json
cat <<EOF > clouds.yaml
clouds:
${OS_CLOUD}:
auth:
auth_type: "v3applicationc
interface: public
EOF
# Override ~/.config/
touch secure.yaml
openstack token issue -f json > token.json
echo "appcreds expiration: $(jq -r '.expires_at' appcreds.json)"
for i in {1..10}; do
sleep 100
echo -ne "$(date --utc --rfc-3339=
curl -isS -H "X-Auth-Token: $(jq -r '.id' token.json)" --url "$image_url" | head -n1
done
```
Actual results (on a cloud with tokens duration of 24h):
appcreds expiration: 2022-07-
2022-07-08 13:56:38+00:00 HTTP/1.1 200 OK
2022-07-08 13:58:19+00:00 HTTP/1.1 200 OK
2022-07-08 14:00:00+00:00 HTTP/1.1 200 OK
2022-07-08 14:01:42+00:00 HTTP/1.1 200 OK
2022-07-08 14:03:23+00:00 HTTP/1.1 200 OK
2022-07-08 14:05:07+00:00 HTTP/1.1 200 OK
2022-07-08 14:06:49+00:00 HTTP/1.1 200 OK
2022-07-08 14:08:37+00:00 HTTP/1.1 200 OK
2022-07-08 14:10:18+00:00 HTTP/1.1 200 OK
2022-07-08 14:12:00+00:00 HTTP/1.1 200 OK
Expected results:
appcreds expiration: 2022-07-
2022-07-08 13:54:38+00:00 HTTP/1.1 200 OK
2022-07-08 13:58:19+00:00 HTTP/1.1 401 Unauthorized
2022-07-08 14:00:00+00:00 HTTP/1.1 401 Unauthorized
2022-07-08 14:01:42+00:00 HTTP/1.1 401 Unauthorized
2022-07-08 14:03:23+00:00 HTTP/1.1 401 Unauthorized
2022-07-08 14:05:07+00:00 HTTP/1.1 401 Unauthorized
2022-07-08 14:06:49+00:00 HTTP/1.1 401 Unauthorized
2022-07-08 14:08:37+00:00 HTTP/1.1 401 Unauthorized
2022-07-08 14:10:18+00:00 HTTP/1.1 401 Unauthorized
2022-07-08 14:12:00+00:00 HTTP/1.1 401 Unauthorized
CVE References
Changed in ossa: | |
assignee: | nobody → David Wilde (dave-wilde) |
Changed in keystone: | |
importance: | Undecided → High |
summary: |
Openstack: Application credential token remains valid longer than - expected + expected (CVE-2022-2447) |
I assume the path forward will be to have the token expire when the application credential does, but I'd like to make sure we document that a token created by an app cred will expire according to the expiry of the app cred rather than the token config setting default.