[OSSA 2016-005] PKI Token Revocation Bypass (CVE-2015-7546)
Bug #1490804 reported by
Liusheng
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
High
|
Brant Knudson | ||
Kilo |
Fix Released
|
High
|
Unassigned | ||
OpenStack Security Advisory |
Fix Released
|
Undecided
|
Unassigned | ||
OpenStack Security Notes |
Fix Released
|
Critical
|
Nathan Kinder | ||
django-openstack-auth |
Invalid
|
Undecided
|
Adam Young | ||
keystonemiddleware |
Fix Released
|
High
|
Brant Knudson | ||
python-keystoneclient |
Won't Fix
|
Undecided
|
Adam Young |
Bug Description
A keystone token which has been revoked can still be used by manipulating particular byte fields within the token.
When a Keystone token is revoked it is added to the revoked list which stores the exact token value. Any API will look at the token to see whether or not it should accept a token. By changing a single byte within the token, the revocation can be bypassed. see the testing script [1].
It is suggested that the revocation should be changed to only check the token's inner ID.
CVE References
Changed in keystone: | |
assignee: | nobody → Adam Young (ayoung) |
Changed in django-openstack-auth: | |
assignee: | nobody → Adam Young (ayoung) |
Changed in django-openstack-auth: | |
status: | New → Invalid |
Changed in keystone: | |
status: | New → Confirmed |
status: | Confirmed → Triaged |
Changed in keystonemiddleware: | |
status: | New → Triaged |
Changed in python-keystoneclient: | |
status: | New → Triaged |
Changed in ossn: | |
assignee: | nobody → Nathan Kinder (nkinder) |
information type: | Private Security → Public Security |
description: | updated |
Changed in keystone: | |
assignee: | Adam Young (ayoung) → Brant Knudson (blk-u) |
status: | Won't Fix → In Progress |
Changed in keystonemiddleware: | |
assignee: | Adam Young (ayoung) → Brant Knudson (blk-u) |
status: | Won't Fix → In Progress |
Changed in keystone: | |
milestone: | none → mitaka-2 |
tags: | added: kilo-backport-potential liberty-backport-potential |
summary: |
- PKI Token Revocation Bypass (CVE-2015-7546) + [OSSA 2015-006] PKI Token Revocation Bypass (CVE-2015-7546) |
summary: |
- [OSSA 2015-006] PKI Token Revocation Bypass (CVE-2015-7546) + [OSSA 2015-005] PKI Token Revocation Bypass (CVE-2015-7546) |
Changed in ossa: | |
status: | Confirmed → Fix Released |
summary: |
- [OSSA 2015-005] PKI Token Revocation Bypass (CVE-2015-7546) + [OSSA 2016-005] PKI Token Revocation Bypass (CVE-2015-7546) |
To post a comment you must log in.
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.