[OSSA 2012-014] Token validation includes revoked roles (CVE-2012-4413)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Critical
|
Thierry Carrez | ||
Essex |
Fix Released
|
Critical
|
Thierry Carrez | ||
OpenStack Security Advisory |
Fix Released
|
Undecided
|
Thierry Carrez | ||
keystone (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bug Description
To reproduce:
1) Initial setup: http://
2) Authenticate as a normal user, generating a token
3) On the admin API, revoke a role from that user
4) On the admin API, validate the user's generated token
The revoked role is included in the validation response. Ideally, the token should be entirely invalidated and return 404, although at the very least, the revoked role should *NOT* be included in the validation response.
Full example:
Authenticate as a user who has been granted the 'manager' role:
POST http://
===
Content-Type: application/json
{
"auth": {
}
}
}
200 OK
======
Date: Fri, 24 Aug 2012 22:43:24 GMT
Vary: X-Auth-Token
Content-Length: 448
Status: 200
Content-Type: application/json
{
"access": {
"token": {
"id": "c0db082bdb7f47
"tenant": {
"id": "10e2a090121748
"name": "project-x"
}
},
"user": {
"id": "b2a6f8d5dbb249
"roles": [
{
}
],
"name": "joe"
},
"metadata": {
"roles": [
]
}
}
}
Validate the user's token (note the presence of the 'manager' role):
GET http://
===
X-Auth-Token: ADMIN
200 OK
======
Status: 200
Content-Length: 490
Content-
Vary: X-Auth-Token
Date: Fri, 24 Aug 2012 22:44:01 GMT
Content-Type: application/json
{
"access": {
"token": {
"id": "c0db082bdb7f47
"tenant": {
"id": "10e2a090121748
"name": "project-x"
}
},
"user": {
"id": "b2a6f8d5dbb249
"roles": [
{
"id": "facd80ce22d44e
}
],
"name": "joe"
},
"metadata": {
"roles": [
]
}
}
}
As admin, revoke the 'manager' role from the user:
$ keystone user-role-remove --user-
As admin, the validation response remains unchanged (including the revoked 'manager' role):
GET http://
===
X-Auth-Token: ADMIN
200 OK
======
Status: 200
Content-Length: 490
Content-
Vary: X-Auth-Token
Date: Fri, 24 Aug 2012 22:44:46 GMT
Content-Type: application/json
{
"access": {
"token": {
"id": "c0db082bdb7f47
"tenant": {
"id": "10e2a090121748
"name": "project-x"
}
},
"user": {
"id": "b2a6f8d5dbb249
"roles": [
{
"id": "facd80ce22d44e
}
],
"name": "joe"
},
"metadata": {
"roles": [
]
}
}
}
Related branches
- Ubuntu Server Developers: Pending requested
-
Diff: 13 lines (+6/-0)1 file modifieddebian/changelog (+6/-0)
CVE References
security vulnerability: | yes → no |
security vulnerability: | no → yes |
summary: |
- Token validation includes revoked roles + Token validation includes revoked roles (CVE-2012-4413) |
visibility: | private → public |
Changed in keystone: | |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | folsom-rc1 → 2012.2 |
Changed in keystone (Ubuntu): | |
status: | New → Fix Released |
summary: |
- Token validation includes revoked roles (CVE-2012-4413) + [OSSA 2012-014] Token validation includes revoked roles (CVE-2012-4413) |
Changed in ossa: | |
assignee: | nobody → Thierry Carrez (ttx) |
status: | New → Fix Released |
Note: I'm suddenly having trouble getting the stable/essex S3 & swift middleware tests to run on my machine (both with and without this patch) -- but I don't think they should be impacted, regardless.