The shared token that is used to bootstrap keystone is a hardcoded value.
This only used as a fallback (default value in function signature)
This use case is not triggered when keystone is configured in any documented or supported configuration
for more information, see:
- https://bugs.launchpad.net/ossn/+bug/1545789
- https://wiki.openstack.org/wiki/OSSN/OSSN-0064
Statement:
Red Hat Product Security has rated this issue as having Low security
impact.
In versions of openstack-keystone shipped with Red Hat Enterprise Linux OpenStack Platform 6, 7 and Red Hat OpenStack Platform 8 the condition required to create a vulnerable scenario was never met. While it is possible to create a vulnerable scenario, the level of access required to create the scenario exceeds that of the access obtained.
This issue did not affect versions of openstack-keystone shipped with Red Hat OpenStack Platform 9 and 10.
This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.