It was reported that when the PKI or PKIZ token providers are used, it is possible for an attacker to manipulate the token contents of a revoked token such that the token will still be considered to be valid. Identity service checks it by searching for a revocation by the entire token. It is possible for an attacker to manipulate portions of an intercepted PKI or PKIZ token that are not cryptographically protected, which will cause the revocation check to improperly consider the token to be valid. This can allow unauthorized access to cloud resources if a revoked token is intercepted by an attacker. Users are recommended to not use PKI or PKIZ token providers and to switch to using another supported token provider, such as UUID, in case they're already using PKI/PKIZ tokens. keystone.conf file stores the configuration of Identity service: ---- begin keystone.conf sample snippet ---- [token] #provider = keystone.token.providers.pki.Provider #provider = keystone.token.providers.pkiz.Provider provider = keystone.token.providers.uuid.Provider #---- end keystone.conf sample snippet ---- In Liberty: ---- begin keystone.conf sample snippet ---- [token] #provider = pki #provider = pkiz provider = uuid #---- end keystone.conf sample snippet ---- The commented out settings in the examples above are vulnerable.
Created openstack-keystone tracking bugs for this issue: Affects: fedora-all [bug 1299683]