Bug 843311 (CVE-2012-3426)

Summary: CVE-2012-3426 OpenStack-Keystone: token expiration issues
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: apevec, jrusnack, markmc, pbrady, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20120727,reported=20120615,source=distros,cvss2=4.9/AV:N/AC:M/Au:S/C:P/I:P/A:N,fedora-all/openstack-keystone=affected,epel-6/openstack-keystone=affected,cwe=CWE-613
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-09-12 19:12:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 836072    

Description Kurt Seifried 2012-07-26 03:04:33 UTC
Thierry Carrez (thierry@openstack.org) of the OpenStack project reports:

Derek Higgins reported various issues affecting Keystone token
expiration. A token expiration date can be circumvented by
continuously creating new tokens before the old one has expired.
Existing tokens also remain valid after a user account is disabled or
after an account password changed. An authenticated and authorized
user could potentially leverage those vulnerabilities to extend his
access beyond the account owner expectations.

Folsom fixes:

Essex fixes:

Comment 2 Vincent Danen 2012-07-27 17:59:44 UTC
This is now public: