Russell Bryant (rbryant) of the OpenStack Project reports: Title: Revoking a role does not affect existing tokens Impact: High Reporter: Dolph Mathews (Rackspace) Products: Keystone Affects: Essex, Folsom Description: Dolph Mathews reported a vulnerability in Keystone. Granting and revoking roles from a user is not reflected upon token validation for pre-existing tokens. Pre-existing tokens continue to be valid for the original set of roles for the remainder of the token's lifespan, or until explicitly invalidated. This fix invalidates all tokens held by a user upon role grant/revoke to circumvent the issue.
See the attached patches. For Essex, the following patch also needs to be in place before the fix for the vulnerability will be fully effective: https://review.openstack.org/#/c/12590/. The equivalent patch for the memcached token backend in Folsom has already been merged.
Created attachment 610928 [details] CVE-2012-4413-master-v4.txt
Created attachment 610929 [details] CVE-2012-4413-stable-essex-v4.txt
This has now been released publicly: https://review.openstack.org/#/c/12868/
Created openstack-keystone tracking bugs for this issue Affects: fedora-all [bug 856712]
Created openstack-keystone tracking bugs for this issue Affects: epel-6 [bug 856720]
Acknowledgements: Red Hat would like to thank Dolph Mathews for reporting this issue.
This issue has been addressed in following products: OpenStack Essex for RHEL 6 Via RHSA-2012:1378 https://rhn.redhat.com/errata/RHSA-2012-1378.html