Bug 879402 - (CVE-2012-5563) CVE-2012-5563 OpenStack: Keystone extension of token validity through token chaining
CVE-2012-5563 OpenStack: Keystone extension of token validity through token c...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20121128,repor...
: Security
Depends On: 879405
Blocks: 873487 879404
  Show dependency treegraph
 
Reported: 2012-11-22 16:29 EST by Kurt Seifried
Modified: 2016-04-26 09:47 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-12-11 02:57:50 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
CVE-2012-5563-keystone.patch includes test case (3.29 KB, patch)
2012-11-22 16:36 EST, Kurt Seifried
no flags Details | Diff

  None (edit)
Description Kurt Seifried 2012-11-22 16:29:11 EST
Thierry Carrez (thierry@openstack.org) of the OpenStack project reports:

Anndy reported a vulnerability in token chaining in Keystone. A token
expiration date can be circumvented by creating a new token before the
old one has expired. An authenticated and authorized user could
potentially leverage this vulnerability to extend his access beyond the
account owner expectations. Note: this vulnerability was fixed in the
past (CVE-2012-3426) but was reintroduced in Folsom when code was
refactored to support PKI tokens.
Comment 1 Kurt Seifried 2012-11-22 16:36:24 EST
Created attachment 650039 [details]
CVE-2012-5563-keystone.patch includes test case
Comment 3 Murray McAllister 2012-12-10 00:46:54 EST
Acknowledgements:

Red Hat would like to thank the OpenStack project for reporting this issue. Upstream acknowledges Anndy as the original reporter.
Comment 4 errata-xmlrpc 2012-12-10 16:02:19 EST
This issue has been addressed in following products:

  OpenStack Folsom for RHEL 6

Via RHSA-2012:1557 https://rhn.redhat.com/errata/RHSA-2012-1557.html
Comment 5 Fedora Update System 2012-12-11 00:56:56 EST
openstack-keystone-2012.2.1-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2012-12-19 13:33:55 EST
openstack-keystone-2012.2.1-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.