Bugzilla – Bug 958756
VUL-0: CVE-2015-7546: openstack-keystone: Potential reuse of revoked Identity tokens
Last modified: 2016-05-31 16:21:47 UTC
bugbot adjusting priority
https://bugs.launchpad.net/keystone/+bug/1490804 A keystone token which has been revoked can still be used by manipulating particular byte fields within the token. When a Keystone token is revoked it is added to the revoked list which stores the exact token value. Any API will look at the token to see whether or not it should accept a token. By changing a single byte within the token, the revocation can be bypassed. see the testing script [1]. It is suggested that the revocation should be changed to only check the token's inner ID. [1] http://paste.openstack.org/show/436516/
Created attachment 659544 [details] reproducer.txt paste.openstack.org content from above comment
This looks like something to document for cloud 5. Can you write up a small piece of text we could publish?
https://wiki.openstack.org/wiki/OSSN/OSSN-0062 The setting in crowbar is in the Keystone barclamp and is called "Algorithm for Token Generation". This one defaults to PKI and it should be changed to UUID.
bin/addnote CVE-2015-7546 "SUSE OpenStack Cloud 5 is affected by this problem, but we can not change this per update. The Administrator can apply a change to fix this security problem in the Keystone Barclamp, 'Algorithm for Token Generation'. Please refer to the <a href=\"https://wiki.openstack.org/wiki/OSSN/OSSN-0062\">OpenStack Security Notice</a> for the details."