Bug 960203 (CVE-2013-2059) - CVE-2013-2059 OpenStack Keystone: tokens not immediately invalidated when user is deleted
Summary: CVE-2013-2059 OpenStack Keystone: tokens not immediately invalidated when use...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2013-2059
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 960207 961858 961859
Blocks: 960205
TreeView+ depends on / blocked
 
Reported: 2013-05-06 16:57 UTC by Kurt Seifried
Modified: 2019-09-29 13:04 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-05-25 07:59:19 UTC


Attachments (Terms of Use)
folsom-CVE-2013-2059.patch (2.29 KB, patch)
2013-05-06 17:08 UTC, Kurt Seifried
no flags Details | Diff
grizzly-CVE-2013-2059.patch (1.86 KB, patch)
2013-05-06 17:09 UTC, Kurt Seifried
no flags Details | Diff
havana-CVE-2013-2059.patch (1.89 KB, patch)
2013-05-06 17:09 UTC, Kurt Seifried
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Novell 819353 None None None Never

Description Kurt Seifried 2013-05-06 16:57:58 UTC
Thierry Carrez reports:

Title: Keystone tokens not immediately invalidated when user is deleted
Reporter: Sam Stoelinga
Products: Keystone
Affects: Folsom, Grizzly

Description:
Sam Stoelinga reported a vulnerability in Keystone. When users are
deleted through Keystone v2 API, existing tokens for those users are not
immediately invalidated and remain valid for the duration of the token's
life (by default, up to 24 hours). This may result in users retaining
access when the administrator of the system thought them disabled. You
can workaround this issue by disabling a user before deleting it: in
that case the tokens belonging to the disabled user are immediately
invalidated. Keystone setups using the v3 API call to delete users are
unaffected.

Comment 2 Kurt Seifried 2013-05-06 17:08:49 UTC
Created attachment 744263 [details]
folsom-CVE-2013-2059.patch

Comment 3 Kurt Seifried 2013-05-06 17:09:20 UTC
Created attachment 744264 [details]
grizzly-CVE-2013-2059.patch

Comment 4 Kurt Seifried 2013-05-06 17:09:38 UTC
Created attachment 744265 [details]
havana-CVE-2013-2059.patch

Comment 6 Jan Lieskovsky 2013-05-10 15:11:10 UTC
Created openstack-keystone tracking bugs for this issue

Affects: fedora-all [bug 961858]
Affects: epel-6 [bug 961859]

Comment 7 Fedora Update System 2013-05-22 01:29:13 UTC
openstack-keystone-2012.2.4-3.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2013-05-24 20:25:50 UTC
openstack-keystone-2013.1.1-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.