Bug 1290774 - (CVE-2015-7546) CVE-2015-7546 openstack-keystone: Improper check of tampered revocated PKI/PKIZ token
CVE-2015-7546 openstack-keystone: Improper check of tampered revocated PKI/PK...
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 1299682 1299683 1299684
Blocks: 1290776
  Show dependency treegraph
Reported: 2015-12-11 07:20 EST by Adam Mariš
Modified: 2016-11-09 23:57 EST (History)
18 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-11-09 23:57:37 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Adam Mariš 2015-12-11 07:20:49 EST
It was reported that when the PKI or PKIZ token providers are used, it is possible for an attacker to manipulate the token contents of a revoked token such that the token will still be considered to be valid. Identity service checks it by searching for a revocation by the entire token. It is possible for an attacker to manipulate portions of an intercepted PKI or PKIZ token that are not cryptographically protected, which will cause the revocation check to improperly consider the token to be valid. This can allow unauthorized access to cloud resources if a revoked token is intercepted by an attacker.

Users are recommended to not use PKI or PKIZ token providers and to switch to using another supported token provider, such as UUID, in case they're already using PKI/PKIZ tokens.

keystone.conf file stores the configuration of Identity service:

---- begin keystone.conf sample snippet ----
#provider = keystone.token.providers.pki.Provider
#provider = keystone.token.providers.pkiz.Provider
provider = keystone.token.providers.uuid.Provider
#---- end keystone.conf sample snippet ----

In Liberty:

---- begin keystone.conf sample snippet ----
#provider = pki
#provider = pkiz
provider = uuid
#---- end keystone.conf sample snippet ----

The commented out settings in the examples above are vulnerable.
Comment 2 Garth Mollett 2016-01-18 19:48:57 EST
Created openstack-keystone tracking bugs for this issue:

Affects: fedora-all [bug 1299683]

Note You need to log in before you can comment on or make changes to this bug.