Red Hat Bugzilla – Bug 879402
CVE-2012-5563 OpenStack: Keystone extension of token validity through token chaining
Last modified: 2016-04-26 09:47:14 EDT
Thierry Carrez (firstname.lastname@example.org) of the OpenStack project reports:
Anndy reported a vulnerability in token chaining in Keystone. A token
expiration date can be circumvented by creating a new token before the
old one has expired. An authenticated and authorized user could
potentially leverage this vulnerability to extend his access beyond the
account owner expectations. Note: this vulnerability was fixed in the
past (CVE-2012-3426) but was reintroduced in Folsom when code was
refactored to support PKI tokens.
Created attachment 650039 [details]
CVE-2012-5563-keystone.patch includes test case
Red Hat would like to thank the OpenStack project for reporting this issue. Upstream acknowledges Anndy as the original reporter.
This issue has been addressed in following products:
OpenStack Folsom for RHEL 6
Via RHSA-2012:1557 https://rhn.redhat.com/errata/RHSA-2012-1557.html
openstack-keystone-2012.2.1-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
openstack-keystone-2012.2.1-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.