Title: Various Keystone token expiration issues
Impact: Medium
Reporter: Derek Higgins
Products: Keystone
Affects: All versions
Description:
Derek Higgins reported various issues affecting Keystone token expiration. A token expiration date can be circumvented by continuously creating new tokens before the old one has expired. Existing tokens also remain valid after a user account is disabled or after an account password changed. An authenticated and authorized user could potentially leverage those vulnerabilities to extend his access beyond the account owner expectations.
Proposed retroactive common advisory:
Title: Various Keystone token expiration issues
Impact: Medium
Reporter: Derek Higgins
Products: Keystone
Affects: All versions
Description:
Derek Higgins reported various issues affecting Keystone token expiration. A token expiration date can be circumvented by continuously creating new tokens before the old one has expired. Existing tokens also remain valid after a user account is disabled or after an account password changed. An authenticated and authorized user could potentially leverage those vulnerabilities to extend his access beyond the account owner expectations.
Folsom fixes: github. com/openstack/ keystone/ commit/ 375838cfceb88ca cc312ff6564e64e b18ee6a355 github. com/openstack/ keystone/ commit/ 628149b3dc6b58b 91fd08e6ca8d91c 728ccb8626 github. com/openstack/ keystone/ commit/ a67b24878a6156e ab17b9098fa649f 0279256f5d
http://
http://
http://
Essex fixes: github. com/openstack/ keystone/ commit/ 29e74e73a6e51cf fc0371b32354558 391826a4aa github. com/openstack/ keystone/ commit/ d9600434da14976 463a0bd03abd8e0 309f0db454 github. com/openstack/ keystone/ commit/ ea03d05ed5de0c0 15042876100d37a 6a14bf56de
http://
http://
http://
Those fixes were included in Keystone 2012.1.1 stable update and the Folsom-1 development milestone.
References: /bugs.launchpad .net/keystone/ +bug/998185 /bugs.launchpad .net/keystone/ +bug/997194 /bugs.launchpad .net/keystone/ +bug/996595
https:/
https:/
https:/