OpenStack Identity (keystone)

  1. Series essex
  2. Bug #998185
  3. Comment #18

Comment 18 for bug 998185

Revision history for this message
Thierry Carrez (ttx) wrote : Re: Once a token is created/distributed its expiry date can be circumvented

Proposed retroactive common advisory:

Title: Various Keystone token expiration issues
Impact: Medium
Reporter: Derek Higgins
Products: Keystone
Affects: All versions

Description:
Derek Higgins reported various issues affecting Keystone token expiration. A token expiration date can be circumvented by continuously creating new tokens before the old one has expired. Existing tokens also remain valid after a user account is disabled or after an account password changed. An authenticated and authorized user could potentially leverage those vulnerabilities to extend his access beyond the account owner expectations.

Folsom fixes:
http://github.com/openstack/keystone/commit/375838cfceb88cacc312ff6564e64eb18ee6a355
http://github.com/openstack/keystone/commit/628149b3dc6b58b91fd08e6ca8d91c728ccb8626
http://github.com/openstack/keystone/commit/a67b24878a6156eab17b9098fa649f0279256f5d

Essex fixes:
http://github.com/openstack/keystone/commit/29e74e73a6e51cffc0371b32354558391826a4aa
http://github.com/openstack/keystone/commit/d9600434da14976463a0bd03abd8e0309f0db454
http://github.com/openstack/keystone/commit/ea03d05ed5de0c015042876100d37a6a14bf56de

Those fixes were included in Keystone 2012.1.1 stable update and the Folsom-1 development milestone.

References:
https://bugs.launchpad.net/keystone/+bug/998185
https://bugs.launchpad.net/keystone/+bug/997194
https://bugs.launchpad.net/keystone/+bug/996595