Bug 965852 - (CVE-2013-2104) CVE-2013-2104 OpenStack Keystone: Missing expiration check in Keystone PKI token validation
CVE-2013-2104 OpenStack Keystone: Missing expiration check in Keystone PKI to...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20130528,repor...
: Security
Depends On: 965859 965860 968328 968330 970659 970660
Blocks: 965855
  Show dependency treegraph
 
Reported: 2013-05-21 16:49 EDT by Kurt Seifried
Modified: 2016-04-26 18:45 EDT (History)
23 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-08-09 20:49:50 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
keystone-folsom-CVE-2013-2104.patch (23.05 KB, patch)
2013-05-21 16:54 EDT, Kurt Seifried
no flags Details | Diff
python-keystoneclient-master-CVE-2013-2104.patch (47.00 KB, patch)
2013-05-21 16:55 EDT, Kurt Seifried
no flags Details | Diff
Updated keystone-folsom-CVE-2013-2104.patch (11.45 KB, patch)
2013-05-27 09:15 EDT, Jan Lieskovsky
no flags Details | Diff
The final patch from upstream (11.84 KB, patch)
2013-05-28 18:28 EDT, Vincent Danen
no flags Details | Diff

  None (edit)
Description Kurt Seifried 2013-05-21 16:49:54 EDT
Thierry Carrez (thierry@openstack.org) reports:

Title: Missing expiration check in Keystone PKI token validation
Reporter: Eoghan Glynn (Red Hat)
Products/Affects: Keystone (Folsom only), python-keystoneclient (0.2.0+)

Description:
Eoghan Glynn from Red Hat reported a vulnerability in expiry checks for
PKI tokens in the Keystone authentication middleware. Expired tokens for
authenticated users could continue to be used, potentially resulting in
the bypass of intended security policies. The effect of PKI token
revocation is also reversed when the token expires, in the sense that a
revoked token is once again treated as being valid. Only setups using
PKI tokens are affected.

Note:
The affected code was added to Keystone in the Folsom release, but was
moved to python-keystoneclient during the Grizzly development cycle.
Comment 1 Kurt Seifried 2013-05-21 16:54:24 EDT
Created attachment 751373 [details]
keystone-folsom-CVE-2013-2104.patch
Comment 2 Kurt Seifried 2013-05-21 16:55:04 EDT
Created attachment 751374 [details]
python-keystoneclient-master-CVE-2013-2104.patch
Comment 5 Jan Lieskovsky 2013-05-27 09:15:54 EDT
Created attachment 753617 [details]
Updated keystone-folsom-CVE-2013-2104.patch
Comment 7 Vincent Danen 2013-05-28 18:28:26 EDT
Created attachment 754099 [details]
The final patch from upstream
Comment 8 Vincent Danen 2013-05-28 18:33:23 EDT
The upstream patch is available here:

https://github.com/openstack/keystone/commit/8d23da1302dde9d38bbc227d9aba30da919b60c8

And the upstream announcement is here:

http://www.openwall.com/lists/oss-security/2013/05/28/7
Comment 9 Jan Lieskovsky 2013-05-29 09:20:11 EDT
This issue did NOT affect the version of the openstack-keystone package, as shipped with Fedora release of 17.

--

This issue affects the version of the openstack-keystone package, as shipped with Fedora release of 18 and Fedora EPEL-6.
Comment 10 Jan Lieskovsky 2013-05-29 09:21:36 EDT
Created openstack-keystone tracking bugs for this issue

Affects: fedora-all [bug 968328]
Affects: epel-6 [bug 968330]
Comment 11 Jan Lieskovsky 2013-06-04 10:11:43 EDT
Created python-keystoneclient tracking bugs for this issue

Affects: epel-6 [bug 970659]
Affects: fedora-rawhide [bug 970660]
Comment 12 Murray McAllister 2013-06-06 09:25:27 EDT
Acknowledgements:

This issue was discovered by Eoghan Glynn of Red Hat.
Comment 15 Jan Lieskovsky 2013-06-12 06:56:16 EDT
This issue did NOT affect the versions of the python-keystoneclient package, as shipped with Fedora release of 17, 18, and Fedora EPEL-6.
Comment 16 errata-xmlrpc 2013-06-12 12:43:15 EDT
This issue has been addressed in following products:

  OpenStack 3 for RHEL 6

Via RHSA-2013:0944 https://rhn.redhat.com/errata/RHSA-2013-0944.html
Comment 17 Fedora Update System 2013-07-12 15:37:49 EDT
openstack-keystone-2012.2.4-5.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 18 Fedora Update System 2013-08-09 13:01:08 EDT
openstack-keystone-2012.2.4-5.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 19 Fedora Update System 2013-08-14 22:34:42 EDT
python-keystoneclient-0.2.3-7.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.