[CVE-2016-4911] Incorrect Audit IDs in Keystone Fernet Tokens (OSSA-2016-008)
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Mirantis OpenStack |
Fix Released
|
High
|
MOS Keystone | ||
| 7.0.x |
Invalid
|
High
|
MOS Maintenance | ||
Bug Description
Detailed bug description:
As MOS is using by default Fernet token provider, prior to merging fix for this issue token revocation doesn't work, because Fernet revoke tokens by audit IDs.
Lance Bragstad (Rackspace) reported a vulnerability in the Keystone Fernet Token Provider. When Keystone was configured to use Fernet tokens, the unique string (audit_id) was not properly maintained during a token rescope (requesting a token for a new project scope using the current token for authentication). This resulted in the inability to revoke entire chain of tokens. The revocation of the chain of tokens. Most revocations are not for the entire chain of tokens. Only Master (Newton) and Mitaka releases of Keystone configured to use Fernet as the Keystone token provider were affected.
Upstream bug report:
https:/
Upstream change IDs:
https:/
| Roman Podoliaka (rpodolyaka) wrote | #1 |
| Changed in mos: | |
| status: | New → Confirmed |
| tags: | added: area-keystone |
| Alexander Makarov (amakarov) wrote | #2 |
| Changed in mos: | |
| status: | Confirmed → In Progress |
| Changed in mos: | |
| status: | In Progress → Fix Committed |
| Alexander Petrov (apetrov-n) wrote | #3 |
| Changed in mos: | |
| status: | Fix Committed → Fix Released |
| summary: |
[CVE-2016-4911] Incorrect Audit IDs in Keystone Fernet Tokens + (OSSA-2016-008) |
| Denis Meltsaykin (dmeltsaykin) wrote | #4 |
the fix is already merged in upstream. MOS Keystone, please double check we have this in downstream 9.0.