Bug 866483 (CVE-2014-2237) - VUL-1: CVE-2014-2237: openstack-keystone: trustee token revocation does not work with memcache backend
Summary: VUL-1: CVE-2014-2237: openstack-keystone: trustee token revocation does not w...
Status: RESOLVED FIXED
Alias: CVE-2014-2237
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Normal
Target Milestone: ---
Deadline: 2014-04-17
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/96700/
Whiteboard: maint:running:56887:moderate maint:r...
Keywords:
Depends on:
Blocks:
 
Reported: 2014-03-03 07:36 UTC by Marcus Meissner
Modified: 2014-09-01 11:56 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2014-03-03 07:36:04 UTC 
via oss-security


A vulnerability was discovered in OpenStack (see below). In order to
ensure full traceability, we need a CVE number assigned that we can
attach to further notifications. This issue is already public, although
an advisory was not sent yet.

Title: Trustee token revocation does not work with memcache backend
Reporter: Morgan Fainberg (Metacloud)
Products: Keystone
Versions: 2013.1 up to 2013.1.4 and 2013.2 versions up to 2013.2.2

Description:
Morgan Fainberg from Metacloud reported a vulnerability in the Keystone
memcache token backend. When a trustor issues a trust token with
impersonation enabled, the token is only added to the trustor's token
list and not to the trustee's token list. This results in the trust
token not being invalidated by the trustee's token revocation (bulk
revocation). This is most noticeable when the trustee user is disabled
or the trustee changes a password. Only setups using the memcache
backend for tokens in Keystone are affected.

References:
https://launchpad.net/bugs/1260080




References:
https://bugzilla.redhat.com/show_bug.cgi?id=1071434
Comment 1 Swamp Workflow Management 2014-03-03 23:00:20 UTC 
bugbot adjusting priority
Comment 2 Marcus Meissner 2014-03-07 14:30:36 UTC 
is our setup affected even?
Comment 3 Vincent Untz 2014-03-07 14:44:28 UTC 
I don't think we're using the memcache backend; I think we're using the database one, so possibly not. Leaving it up to Sascha who can likely confirm.
Comment 6 Swamp Workflow Management 2014-03-26 15:43:59 UTC 
The SWAMPID for this issue is 56805.
This issue was rated as moderate.
Please submit fixed packages until 2014-04-09.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 7 SMASH SMASH 2014-03-26 15:45:20 UTC 
Affected packages:

SLE-11-SP3-PRODUCTS: openstack-keystone
Comment 8 Bernhard Wiedemann 2014-03-28 10:32:29 UTC 
we always use
driver = keystone.token.backends.sql.Token

so this issue should not affect us
and we can just add this patch with the next normal update
Comment 9 Bernhard Wiedemann 2014-04-01 10:59:58 UTC 
https://build.suse.de/request/show/35310 openstack-keystone
 might need updated crowbar-barclamp-keystone
Comment 10 Swamp Workflow Management 2014-04-03 15:22:40 UTC 
The SWAMPID for this issue is 56887.
This issue was rated as moderate.
Please submit fixed packages until 2014-04-17.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 11 Swamp Workflow Management 2014-04-11 19:45:39 UTC 
Update released for: openstack-keystone, openstack-keystone-test, python-keystone
Products:
SUSE-CLOUD 3.0 (x86_64)
Comment 12 Swamp Workflow Management 2014-04-11 23:04:26 UTC 
SUSE-SU-2014:0519-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 866483,869326
CVE References: CVE-2014-2237
Sources used:
SUSE Cloud 3 (src):    openstack-keystone-2013.2.3.dev4.g27e1469-0.7.1
Comment 14 Marcus Meissner 2014-09-01 11:56:47 UTC 
released