The impact statement isn't correct since it says that tokens won't expire using MySQL, but they will. It just that revocations don't work with revocation events at all. Here's my attempt:
Brant Knudson from IBM reported a vulnerability in Keystone revocation events. The Keystone revocation events code expects the database to store expiration timestamps with subsecond accuracy, which Mysql does not do. This causes tokens that are manually revoked to remain valid. Only Keystone setups configured to use revocation events and the SQL token driver with MySQL are affected.
The impact statement isn't correct since it says that tokens won't expire using MySQL, but they will. It just that revocations don't work with revocation events at all. Here's my attempt:
Brant Knudson from IBM reported a vulnerability in Keystone revocation events. The Keystone revocation events code expects the database to store expiration timestamps with subsecond accuracy, which Mysql does not do. This causes tokens that are manually revoked to remain valid. Only Keystone setups configured to use revocation events and the SQL token driver with MySQL are affected.