Red Hat Bugzilla – Bug 1004452
CVE-2013-4294 OpenStack: Keystone Token revocation failure using Keystone memcache/KVS backends
Last modified: 2016-04-26 10:21:39 EDT
Thierry Carrez reports:
Title: Token revocation failure using Keystone memcache/KVS backends
Reporter: Kieran Spear (University of Melbourne)
Affects: Folsom, Grizzly
Kieran Spear from the University of Melbourne reported a vulnerability
in Keystone memcache and KVS token backends. The PKI token revocation
lists stored the entire token instead of the token ID, triggering
comparison failures, ultimately resulting in revoked PKI tokens still
being considered valid. Only Folsom and Grizzly Keystone setups making
use of PKI tokens with the memcache or KVS token backends are affected.
Havana setups, setups using UUID tokens, or setups using PKI tokens with
the SQL token backend are all unaffected.
Created attachment 793753 [details]
Created attachment 793754 [details]
This is now public:
> This is now public:
Please create [fedora-all] clone.
Red Hat would like to thank Thierry Carrez of OpenStack upstream for reporting this issue. Upstream acknowledges Kieran Spear of University of Melbourne as the original reporter.
This issue has been addressed in following products:
OpenStack 3 for RHEL 6
Via RHSA-2013:1285 https://rhn.redhat.com/errata/RHSA-2013-1285.html