Bug 965852 (CVE-2013-2104)

Summary:

CVE-2013-2104 OpenStack Keystone: Missing expiration check in Keystone PKI token validation

Product:

[Other] Security Response

Reporter:

Kurt Seifried <kseifried>

Component:

vulnerability

Assignee:

Red Hat Product Security <security-response-team>

Status:

CLOSED ERRATA

QA Contact:

Severity:

medium

Docs Contact:

Priority:

medium

Version:

unspecified

CC:

abaron, aortega, apevec, apevec, ayoung, bfilippov, breu, chrisw, dallan, d.busby, Jan.van.Eldik, jkt, jlieskov, jonathansteffan, jose.castro.leon, jrusnack, jruzicka, markmc, p, rbryant, rhos-maint, sclewis, security-response-team

Target Milestone:

---

Keywords:

Security

Target Release:

---

Hardware:

All

OS:

Linux

Whiteboard:

Fixed In Version:

Doc Type:

Bug Fix

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2013-08-10 00:49:50 UTC

Type:

---

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Bug Depends On:

965859, 965860, 968328, 968330, 970659, 970660

Bug Blocks:

965855

Attachments:

Description	Flags
keystone-folsom-CVE-2013-2104.patch	none
python-keystoneclient-master-CVE-2013-2104.patch	none
Updated keystone-folsom-CVE-2013-2104.patch	none
The final patch from upstream	none

Description Kurt Seifried 2013-05-21 20:49:54 UTC

Thierry Carrez (thierry) reports:

Title: Missing expiration check in Keystone PKI token validation
Reporter: Eoghan Glynn (Red Hat)
Products/Affects: Keystone (Folsom only), python-keystoneclient (0.2.0+)

Description:
Eoghan Glynn from Red Hat reported a vulnerability in expiry checks for
PKI tokens in the Keystone authentication middleware. Expired tokens for
authenticated users could continue to be used, potentially resulting in
the bypass of intended security policies. The effect of PKI token
revocation is also reversed when the token expires, in the sense that a
revoked token is once again treated as being valid. Only setups using
PKI tokens are affected.

Note:
The affected code was added to Keystone in the Folsom release, but was
moved to python-keystoneclient during the Grizzly development cycle.

Comment 1 Kurt Seifried 2013-05-21 20:54:24 UTC

Created attachment 751373 [details]
keystone-folsom-CVE-2013-2104.patch

Comment 2 Kurt Seifried 2013-05-21 20:55:04 UTC

Created attachment 751374 [details]
python-keystoneclient-master-CVE-2013-2104.patch

Comment 5 Jan Lieskovsky 2013-05-27 13:15:54 UTC

Created attachment 753617 [details]
Updated keystone-folsom-CVE-2013-2104.patch

Comment 7 Vincent Danen 2013-05-28 22:28:26 UTC

Created attachment 754099 [details]
The final patch from upstream

Comment 8 Vincent Danen 2013-05-28 22:33:23 UTC

The upstream patch is available here:

https://github.com/openstack/keystone/commit/8d23da1302dde9d38bbc227d9aba30da919b60c8

And the upstream announcement is here:

http://www.openwall.com/lists/oss-security/2013/05/28/7

Comment 9 Jan Lieskovsky 2013-05-29 13:20:11 UTC

This issue did NOT affect the version of the openstack-keystone package, as shipped with Fedora release of 17.

--

This issue affects the version of the openstack-keystone package, as shipped with Fedora release of 18 and Fedora EPEL-6.

Comment 10 Jan Lieskovsky 2013-05-29 13:21:36 UTC

Created openstack-keystone tracking bugs for this issue

Affects: fedora-all [bug 968328]
Affects: epel-6 [bug 968330]

Comment 11 Jan Lieskovsky 2013-06-04 14:11:43 UTC

Created python-keystoneclient tracking bugs for this issue

Affects: epel-6 [bug 970659]
Affects: fedora-rawhide [bug 970660]

Comment 12 Murray McAllister 2013-06-06 13:25:27 UTC

Acknowledgements:

This issue was discovered by Eoghan Glynn of Red Hat.

Comment 15 Jan Lieskovsky 2013-06-12 10:56:16 UTC

This issue did NOT affect the versions of the python-keystoneclient package, as shipped with Fedora release of 17, 18, and Fedora EPEL-6.

Comment 16 errata-xmlrpc 2013-06-12 16:43:15 UTC

This issue has been addressed in following products:

  OpenStack 3 for RHEL 6

Via RHSA-2013:0944 https://rhn.redhat.com/errata/RHSA-2013-0944.html

Comment 17 Fedora Update System 2013-07-12 19:37:49 UTC

openstack-keystone-2012.2.4-5.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 18 Fedora Update System 2013-08-09 17:01:08 UTC

openstack-keystone-2012.2.4-5.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 19 Fedora Update System 2013-08-15 02:34:42 UTC

python-keystoneclient-0.2.3-7.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.