This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 960203 - (CVE-2013-2059) CVE-2013-2059 OpenStack Keystone: tokens not immediately invalidated when user is deleted
CVE-2013-2059 OpenStack Keystone: tokens not immediately invalidated when use...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20130509,repor...
: Security
Depends On: 960207 961858 961859
Blocks: 960205
  Show dependency treegraph
 
Reported: 2013-05-06 12:57 EDT by Kurt Seifried
Modified: 2016-04-26 19:05 EDT (History)
14 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-05-25 03:59:19 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
folsom-CVE-2013-2059.patch (2.29 KB, patch)
2013-05-06 13:08 EDT, Kurt Seifried
no flags Details | Diff
grizzly-CVE-2013-2059.patch (1.86 KB, patch)
2013-05-06 13:09 EDT, Kurt Seifried
no flags Details | Diff
havana-CVE-2013-2059.patch (1.89 KB, patch)
2013-05-06 13:09 EDT, Kurt Seifried
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Novell 819353 None None None Never

  None (edit)
Description Kurt Seifried 2013-05-06 12:57:58 EDT
Thierry Carrez reports:

Title: Keystone tokens not immediately invalidated when user is deleted
Reporter: Sam Stoelinga
Products: Keystone
Affects: Folsom, Grizzly

Description:
Sam Stoelinga reported a vulnerability in Keystone. When users are
deleted through Keystone v2 API, existing tokens for those users are not
immediately invalidated and remain valid for the duration of the token's
life (by default, up to 24 hours). This may result in users retaining
access when the administrator of the system thought them disabled. You
can workaround this issue by disabling a user before deleting it: in
that case the tokens belonging to the disabled user are immediately
invalidated. Keystone setups using the v3 API call to delete users are
unaffected.
Comment 2 Kurt Seifried 2013-05-06 13:08:49 EDT
Created attachment 744263 [details]
folsom-CVE-2013-2059.patch
Comment 3 Kurt Seifried 2013-05-06 13:09:20 EDT
Created attachment 744264 [details]
grizzly-CVE-2013-2059.patch
Comment 4 Kurt Seifried 2013-05-06 13:09:38 EDT
Created attachment 744265 [details]
havana-CVE-2013-2059.patch
Comment 6 Jan Lieskovsky 2013-05-10 11:11:10 EDT
Created openstack-keystone tracking bugs for this issue

Affects: fedora-all [bug 961858]
Affects: epel-6 [bug 961859]
Comment 7 Fedora Update System 2013-05-21 21:29:13 EDT
openstack-keystone-2012.2.4-3.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2013-05-24 16:25:50 EDT
openstack-keystone-2013.1.1-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.