CVE-2013-4222
Published: 30 September 2013
OpenStack Identity (Keystone) Folsom, Grizzly 2013.1.3 and earlier, and Havana before havana-3 does not properly revoke user tokens when a tenant is disabled, which allows remote authenticated users to retain access via the token.
Notes
| Author | Note |
|---|---|
| jdstrand | Debian states that the code is not present in Essex (as included in 12.04 LTS) Essex does not invalidate user tokens when a tenant is disabled, but the 'keystone tenant-update --enable false ...' doesn't work to a bug in python-keystoneclient. This bug was fixed in the following commit: https://github.com/openstack/python-keystoneclient/commit/51f6cc6573319f66b6127d5f2b50e57949b59107 but this is not available in Ubuntu 12.04 LTS as of 2013/10/22. Furthermore, on Essex token revocation is not limited to the tenant (this was introduced in https://github.com/openstack/keystone/commit/4e1a0867f9e9f42dd7c2abe3a10ca8a8f7dddce3) and this functionality is required for the deficiency described by this CVE to make any sense. Ignoring on 12.04 LTS since disabling a tenant doesn't work, revocation of users via tenants doesn't work as described in this CVE and because upstream considers this CVE a lack of a feature more than a security vulnerability. test case in the bug |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
keystone Launchpad, Ubuntu, Debian |
lucid |
Does not exist
|
| precise |
Not vulnerable
|
|
| quantal |
Released
(2012.2.4-0ubuntu3.2)
|
|
| raring |
Released
(1:2013.1.3-0ubuntu1.1)
|
|
| saucy |
Not vulnerable
(1:2013.2~rc4-0ubuntu1)
|
|
| upstream |
Released
(1:2013.2~rc4)
|
|
|
Patches: upstream: https://review.openstack.org/#/c/46381/ upstream: https://review.openstack.org/46371 |
||