1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
|
PublicDateAtUSN: 2012-09-13
Candidate: CVE-2012-4413
PublicDate: 2012-09-18
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4413
https://lists.launchpad.net/openstack/msg16659.html
http://www.ubuntu.com/usn/usn-1564-1
Description:
OpenStack Keystone 2012.1.3 does not invalidate existing tokens when
granting or revoking roles, which allows remote authenticated users to
retain the privileges of the revoked roles.
Ubuntu-Description:
Dolph Mathews discovered that when roles are granted and revoked to
users in Keystone, pre-existing tokens were not updated or invalidated
to take the new roles into account. An attacker could use this to
continue to access resources that have been revoked.
Notes:
jdstrand> 2012.2~rc1-0ubuntu1 on 12.10 includes the fixes
jdstrand> Keystone on 11.10 is a pre-release version and unusable with other
components such as nova and horizon
Bugs:
https://bugs.launchpad.net/bugs/1041396
Priority: medium
Discovered-by: Dolph Mathews
Assigned-to:
Patches_keystone:
upstream_keystone: released (2012.2~rc1)
hardy_keystone: DNE
lucid_keystone: DNE
natty_keystone: DNE
oneiric_keystone: ignored
precise_keystone: released (2012.1+stable~20120824-a16a0ab9-0ubuntu2.2)
quantal_keystone: not-affected (2012.2~rc1-0ubuntu1)
devel_keystone: not-affected (2012.2~rc1-0ubuntu1)
|