Bug 2105419 (CVE-2022-2447)
Summary: | CVE-2022-2447 Openstack: Application credential token remains valid longer than expected | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Sage McTaggart <amctagga> |
Component: | vulnerability | Assignee: | Nobody <nobody> |
Status: | NEW --- | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | aileenc, alee, apevec, apevec, asoldano, balejosg, bbaranow, bdettelb, bmaxwell, bmontgom, bnemec, brian.stansberry, cdewolf, chazlett, cluster-maint, cyril, darran.lofthouse, dkreling, dmendiza, dosoudil, eglynn, eparis, fjuma, ggrasza, gmalinko, hguemar, iweiss, janstey, jburrell, jjoyce, jochrist, jschatte, jschluet, jslagle, jwon, lbragsta, lgao, lhh, ltoscano, maandre, mburns, mfojtik, mgarciac, mosmerov, mrunge, msochure, msvehla, nkinder, nstielau, nwallace, oalbrigt, oblaut, openstack-manila-bugs, pantinor, peholase, pjindal, pmackay, pprinett, rareddy, rdopiera, rhos-maint, rstancel, rsvoboda, slaznick, slinaber, smaestri, sponnaga, spower, tom.jenkinson, tvignaud |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
A flaw was found in Keystone. There is a time lag (up to one hour in a default configuration) between when security policy says a token should be revoked from when it is actually revoked. This could allow a remote administrator to secretly maintain access for longer than expected.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | Type: | --- | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2117920, 2117923, 2117924, 2120165, 2120167, 2154111 | ||
Bug Blocks: | 2105420 |
Description
Sage McTaggart
2022-07-08 18:35:59 UTC
Which RHOSP version? And which keystone version specifically? In reply to comment #1: > Which RHOSP version? And which keystone version specifically? https://bugzilla.redhat.com/show_bug.cgi?id=2105317 is our original report. I've CC'd Pierre, who made the report, for more info. Thanks! (In reply to amctagga from comment #2) Is there any particular reason I'm CCd? I don't have access to the related bugs. Always willing to help, but not sure how here. (In reply to Luigi Toscano from comment #1) > Which RHOSP version? And which keystone version specifically? rhosp: 16.2 puddle id: RHOS-16.2-RHEL-8-20220513.n.2 rhel_version: 8.4 I don't think this flaw should be embargoed, am curious who changed it and why, since we usually are not embargo'ing moderates these days and it was created as a public flaw. Is there a reason it is listed as such? (I also don't think it's a high/important severity flaw, all other credential leak flaws are moderates.) Ana, I agree on the impact and that there is no need for an embargo. Have assigned a CVE Why was https://bugzilla.redhat.com/show_bug.cgi?id=2105317 cloned here? Created openstack-keystone tracking bugs for this issue: Affects: openstack-rdo [bug 2117920] |