PKI Token Revocation Bypass (CVE-2015-7546)
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Mirantis OpenStack |
Invalid
|
High
|
MOS Keystone | ||
| 5.1.x |
Invalid
|
High
|
MOS Maintenance | ||
| 6.0.x |
Invalid
|
High
|
MOS Maintenance | ||
| 6.1.x |
Invalid
|
High
|
MOS Maintenance | ||
| 7.0.x |
Invalid
|
High
|
MOS Maintenance | ||
Bug Description
Problem description:
A keystone token which has been revoked can still be used by manipulating particular byte fields within the token.
When a Keystone token is revoked it is added to the revoked list which stores the exact token value. Any API will look at the token to see whether or not it should accept a token. By changing a single byte within the token, the revocation can be bypassed. see the testing script [1].
It is suggested that the revocation should be changed to only check the token's inner ID.
[1] http://
Upstream bug report:
https:/
OSSN notice:
https:/
Solution proposal:
Backport fix from the upstream.
Warn customers about issue and potential risks.
CVE References
| description: | updated |
| Changed in mos: | |
| milestone: | none → 8.0 |
| importance: | Undecided → Medium |
| importance: | Medium → High |
| assignee: | nobody → MOS Keystone (mos-keystone) |
| Boris Bobrov (bbobrov) wrote | #1 |
| Changed in mos: | |
| status: | New → Invalid |
| information type: | Public Security → Private Security |
| Denis Meltsaykin (dmeltsaykin) wrote | #2 |
| Adam Heczko (aheczko-mirantis) wrote | #3 |
| tags: | added: release-notes |
| information type: | Private Security → Public Security |
> Backport fix from the upstream.
We don't use PKI by default.