Bugzilla – Bug 818596
VUL-0: openstack-keystone: CVE-2013-2059: Keystone tokens not immediately invalidated when user is deleted
Last modified: 2013-11-21 14:19:09 UTC
Via vendor sec (please note the embargo, don't leak anything): ------------------------------------------------------------------------ This is an advance warning of a vulnerability discovered in OpenStack, to give you, as downstream stakeholders, a chance to coordinate the release of fixes and reduce the vulnerability window. Please treat the following information as confidential until the proposed public disclosure date. Title: Keystone tokens not immediately invalidated when user is deleted Reporter: Sam Stoelinga Products: Keystone Affects: Folsom, Grizzly Description: Sam Stoelinga reported a vulnerability in Keystone. When users are deleted through Keystone v2 API, existing tokens for those users are not immediately invalidated and remain valid for the duration of the token's life (by default, up to 24 hours). This may result in users retaining access when the administrator of the system thought them disabled. You can workaround this issue by disabling a user before deleting it: in that case the tokens belonging to the disabled user are immediately invalidated. Keystone setups using the v3 API call to delete users are unaffected. Proposed patches: See attached patches. Unless a flaw is discovered in them, these patches will be merged to Keystone master (havana), stable/grizzly, and stable/folsom branches on the public disclosure date. CVE: No CVE has been assigned to this issue yet. Proposed public disclosure date/time: Thursday, May 9, 1500UTC. The notice is relatively short but this is actually not really "exploitable" and benefits from being documented ASAP... Let me know if you would rather like to extend it. In all cases, please do not make the issue public (or release public patches) before this coordinated embargo date. Regards, -- Thierry Carrez (ttx) OpenStack Vulnerability Management Team ------------------------------------------------------------------------
CC'ing vuntz
OBS sr#174752 maintenance request to 12.3:Update Backported the patch to Essex for Cloud-1.0 too. Currently trickling through our testing (currently in IBS Devel:Cloud:1.0:OpenStack).
This is an autogenerated message for OBS integration: This bug (818596) was mentioned in https://build.opensuse.org/request/show/174752 Maintenance /
Public now. CVE-2013-2059 was assigned.
*** Bug 819353 has been marked as a duplicate of this bug. ***
Sascha, could you resubmit sr#174752 and include CVE-2013-2059?
(In reply to comment #8) > Sascha, could you resubmit sr#174752 and include CVE-2013-2059? Sure, it's sr#175227
This is an autogenerated message for OBS integration: This bug (818596) was mentioned in https://build.opensuse.org/request/show/175227 Maintenance /
openSUSE-SU-2013:0949-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 818596 CVE References: CVE-2013-2059 Sources used: openSUSE 12.3 (src): openstack-keystone-2012.2.4+git.1363796849.255b1d4-3.12.1, openstack-keystone-doc-2012.2.4+git.1363796849.255b1d4-3.12.1
done
The SWAMPID for this issue is 52997. This issue was rated as moderate. Please submit fixed packages until 2013-07-01. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
Update released for: openstack-keystone, openstack-keystone-doc, openstack-keystone-test, python-keystone Products: SUSE-CLOUD 1.0 (x86_64)