OpenStack Security Advisory

Openstack: Application credential token remains valid longer than expected (CVE-2022-2447)

Bug #1992183 reported by David Wilde on 2022-10-07

258

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	High	David Wilde
	OpenStack Security Advisory	Incomplete	Undecided	David Wilde

Bug Description

Description of problem:
Keystone issues tokens with the default lifespan regardless of the lifespan of the application credentials used to issue them.
If the configured lifespan of an identity token is set to be 1h, and the application credentials expire in 1 minute from now, a newly issued token will outlive the application credentials used to issue it by 59 minutes.

How reproducible: 100%

Steps to Reproduce:
1. Create application credentials with short expiration time (e.g. 10 seconds)
2. openstack token issue
--> the returned token has standard expiration, for example 1 hour. The script below confirms that the token continue being valid after the application credentials expired.

```bash
#!/usr/bin/env bash

set -Eeuo pipefail

openstack image create --disk-format=raw --container-format=bare --file <(echo 'I am a Glance image') testimage -f json > image.json

image_url="$(openstack catalog show glance -f json | jq -r '.endpoints[] | select(.interface=="public").url')$(jq -r '.file' image.json)"

openstack application credential create \
--expiration="$(date --utc --date '+10 second' +%Y-%m-%dT%H:%M:%S)" \
token_test \
-f json \
> appcreds.json

cat <<EOF > clouds.yaml
clouds:
    ${OS_CLOUD}:
        auth:
            auth_url: <auth_url>
            application_credential_id: '$(jq -r '.id' appcreds.json)'
            application_credential_secret: '$(jq -r '.secret' appcreds.json)'
        auth_type: "v3applicationcredential"
        identity_api_version: 3
        interface: public
        region_name: <region_name>
EOF
# Override ~/.config/openstack/secure.yaml
touch secure.yaml

openstack token issue -f json > token.json

echo "appcreds expiration: $(jq -r '.expires_at' appcreds.json)"
for i in {1..10}; do
sleep 100
echo -ne "$(date --utc --rfc-3339=seconds)\t"
curl -isS -H "X-Auth-Token: $(jq -r '.id' token.json)" --url "$image_url" | head -n1
done

```

Actual results (on a cloud with tokens duration of 24h):
appcreds expiration: 2022-07-08T13:55:02.000000
2022-07-08 13:56:38+00:00 HTTP/1.1 200 OK
2022-07-08 13:58:19+00:00 HTTP/1.1 200 OK
2022-07-08 14:00:00+00:00 HTTP/1.1 200 OK
2022-07-08 14:01:42+00:00 HTTP/1.1 200 OK
2022-07-08 14:03:23+00:00 HTTP/1.1 200 OK
2022-07-08 14:05:07+00:00 HTTP/1.1 200 OK
2022-07-08 14:06:49+00:00 HTTP/1.1 200 OK
2022-07-08 14:08:37+00:00 HTTP/1.1 200 OK
2022-07-08 14:10:18+00:00 HTTP/1.1 200 OK
2022-07-08 14:12:00+00:00 HTTP/1.1 200 OK

Expected results:
appcreds expiration: 2022-07-08T13:55:02.000000
2022-07-08 13:54:38+00:00 HTTP/1.1 200 OK
2022-07-08 13:58:19+00:00 HTTP/1.1 401 Unauthorized
2022-07-08 14:00:00+00:00 HTTP/1.1 401 Unauthorized
2022-07-08 14:01:42+00:00 HTTP/1.1 401 Unauthorized
2022-07-08 14:03:23+00:00 HTTP/1.1 401 Unauthorized
2022-07-08 14:05:07+00:00 HTTP/1.1 401 Unauthorized
2022-07-08 14:06:49+00:00 HTTP/1.1 401 Unauthorized
2022-07-08 14:08:37+00:00 HTTP/1.1 401 Unauthorized
2022-07-08 14:10:18+00:00 HTTP/1.1 401 Unauthorized
2022-07-08 14:12:00+00:00 HTTP/1.1 401 Unauthorized

Tags:

CVE References

2022-2447

David Wilde (dave-wilde) on 2022-10-07

Changed in ossa:
assignee:	nobody → David Wilde (dave-wilde)
Changed in keystone:
importance:	Undecided → High

Revision history for this message

Gage Hugo (gagehugo) wrote on 2022-10-07:

I assume the path forward will be to have the token expire when the application credential does, but I'd like to make sure we document that a token created by an app cred will expire according to the expiry of the app cred rather than the token config setting default.

Revision history for this message

Jeremy Stanley (fungi) wrote on 2022-10-10:

I've switched our security advisory task to incomplete until there's some indication that the agreed solution will be backportable to all supported stable branches.

Changed in ossa:
status:	New → Incomplete

David Wilde (dave-wilde) on 2022-10-13

summary:

Openstack: Application credential token remains valid longer than
- expected
+ expected (CVE-2022-2447)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-10-13: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/keystone/+/861232

Changed in keystone:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-10-28: Fix merged to keystone (master)

Reviewed: https://review.opendev.org/c/openstack/keystone/+/861232
Committed: https://opendev.org/openstack/keystone/commit/8f999d1c1f54a903c1da648ecaa2ce44acdb1fd1
Submitter: "Zuul (22348)"
Branch: master

commit 8f999d1c1f54a903c1da648ecaa2ce44acdb1fd1
Author: Dave Wilde (d34dh0r53) <email address hidden>
Date: Thu Oct 13 15:37:53 2022 -0500

Limit token expiration to application credential expiration

    If a token is issued with an application credential we need to check
    the expiration of the application credential to ensure that the token
    does not outlive the application credential. This ensures that if the
    token expiration is greaten than that of the application credential it
    is reset to the expiration of the application credential and a warning
    is logged. Please see CVE-2022-2447 for more information.

Closes-Bug: 1992183
Change-Id: If6f9f72cf25769d022a970fac36cead17b2030f2

Changed in keystone:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-10-30: Fix proposed to keystone (stable/zed)

Fix proposed to branch: stable/zed
Review: https://review.opendev.org/c/openstack/keystone/+/862903

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-10-30: Fix proposed to keystone (stable/yoga)

Fix proposed to branch: stable/yoga
Review: https://review.opendev.org/c/openstack/keystone/+/862904

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-10-30: Fix proposed to keystone (stable/xena)

Fix proposed to branch: stable/xena
Review: https://review.opendev.org/c/openstack/keystone/+/862905

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-10-30: Fix proposed to keystone (stable/wallaby)

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/keystone/+/862906

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-10-30: Fix proposed to keystone (stable/victoria)

Fix proposed to branch: stable/victoria
Review: https://review.opendev.org/c/openstack/keystone/+/862907

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-10-30: Fix proposed to keystone (stable/ussuri)

#10

Fix proposed to branch: stable/ussuri
Review: https://review.opendev.org/c/openstack/keystone/+/862908

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-10-30: Fix proposed to keystone (stable/train)

#11

Fix proposed to branch: stable/train
Review: https://review.opendev.org/c/openstack/keystone/+/862909

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-01-10: Fix merged to keystone (stable/zed)

#12

Reviewed: https://review.opendev.org/c/openstack/keystone/+/862903
Committed: https://opendev.org/openstack/keystone/commit/e4e097c5bcf981199563bd721ac643900d3fb616
Submitter: "Zuul (22348)"
Branch: stable/zed

commit e4e097c5bcf981199563bd721ac643900d3fb616
Author: Dave Wilde (d34dh0r53) <email address hidden>
Date: Thu Oct 13 15:37:53 2022 -0500

Limit token expiration to application credential expiration

    Closes-Bug: 1992183
    Change-Id: If6f9f72cf25769d022a970fac36cead17b2030f2
    (cherry picked from commit 8f999d1c1f54a903c1da648ecaa2ce44acdb1fd1)

tags:

added: in-stable-zed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-02-17: Fix merged to keystone (stable/yoga)

#13

Reviewed: https://review.opendev.org/c/openstack/keystone/+/862904
Committed: https://opendev.org/openstack/keystone/commit/164d9522b8a150892432dbaba681c95d91d9508c
Submitter: "Zuul (22348)"
Branch: stable/yoga

commit 164d9522b8a150892432dbaba681c95d91d9508c
Author: Dave Wilde (d34dh0r53) <email address hidden>
Date: Thu Oct 13 15:37:53 2022 -0500

Limit token expiration to application credential expiration

    Closes-Bug: 1992183
    Change-Id: If6f9f72cf25769d022a970fac36cead17b2030f2
    (cherry picked from commit 8f999d1c1f54a903c1da648ecaa2ce44acdb1fd1)

tags:

added: in-stable-yoga

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-03-07: Fix included in openstack/keystone 23.0.0.0rc1

#14

This issue was fixed in the openstack/keystone 23.0.0.0rc1 release candidate.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-03-15: Fix merged to keystone (stable/xena)

#15

Reviewed: https://review.opendev.org/c/openstack/keystone/+/862905
Committed: https://opendev.org/openstack/keystone/commit/8e25d823e4b73e1f3285a4ea64976cc770cb2644
Submitter: "Zuul (22348)"
Branch: stable/xena

commit 8e25d823e4b73e1f3285a4ea64976cc770cb2644
Author: Dave Wilde (d34dh0r53) <email address hidden>
Date: Thu Oct 13 15:37:53 2022 -0500

Limit token expiration to application credential expiration

    Closes-Bug: 1992183
    Change-Id: If6f9f72cf25769d022a970fac36cead17b2030f2
    (cherry picked from commit 8f999d1c1f54a903c1da648ecaa2ce44acdb1fd1)

tags:

added: in-stable-xena

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-06-14: Fix merged to keystone (stable/victoria)

#16

Reviewed: https://review.opendev.org/c/openstack/keystone/+/862907
Committed: https://opendev.org/openstack/keystone/commit/ab9366b9f9c0f86eac11e7befa454d3358750c73
Submitter: "Zuul (22348)"
Branch: stable/victoria

commit ab9366b9f9c0f86eac11e7befa454d3358750c73
Author: Dave Wilde (d34dh0r53) <email address hidden>
Date: Thu Oct 13 15:37:53 2022 -0500

Limit token expiration to application credential expiration

    Closes-Bug: 1992183
    Change-Id: If6f9f72cf25769d022a970fac36cead17b2030f2
    (cherry picked from commit 8f999d1c1f54a903c1da648ecaa2ce44acdb1fd1)

tags:

added: in-stable-victoria

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-08-25: Fix merged to keystone (stable/wallaby)

#17

Reviewed: https://review.opendev.org/c/openstack/keystone/+/862906
Committed: https://opendev.org/openstack/keystone/commit/bcef9dbd87b4941cb4dfafc920e0d78d843cb1a7
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit bcef9dbd87b4941cb4dfafc920e0d78d843cb1a7
Author: Dave Wilde (d34dh0r53) <email address hidden>
Date: Thu Oct 13 15:37:53 2022 -0500

Limit token expiration to application credential expiration

    Closes-Bug: 1992183
    Change-Id: If6f9f72cf25769d022a970fac36cead17b2030f2
    (cherry picked from commit 8f999d1c1f54a903c1da648ecaa2ce44acdb1fd1)

tags:	added: in-stable-wallaby
tags:	added: in-stable-train

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-08-25: Fix merged to keystone (stable/train)

#18

Reviewed: https://review.opendev.org/c/openstack/keystone/+/862909
Committed: https://opendev.org/openstack/keystone/commit/192b4c4bb91419d5191ecbf7dfce8a42d647e6d3
Submitter: "Zuul (22348)"
Branch: stable/train

commit 192b4c4bb91419d5191ecbf7dfce8a42d647e6d3
Author: Dave Wilde (d34dh0r53) <email address hidden>
Date: Thu Oct 13 15:37:53 2022 -0500

Limit token expiration to application credential expiration

With direct cherry-pick, a non-existing module was being referenced. It
was fixed manually.

    Closes-Bug: 1992183
    Change-Id: If6f9f72cf25769d022a970fac36cead17b2030f2
    (cherry picked from commit 8f999d1c1f54a903c1da648ecaa2ce44acdb1fd1)