From ${URL}: Three vulnerabilities was discovered in OpenStack (see below). In order to ensure full traceability, we need CVE number(s) assigned that we can attach to further notifications. These issues are already public, although an advisory was not sent yet. Title: Multiple vulnerabilities in Keystone revocation events Reporter: Lance Bragstad (Rackspace) and Brant Knudson (IBM) Products: Keystone Versions: 2014.1 versions up to 2014.1.1 Description: Lance Bragstad from Rackspace and Brant Knudson from IBM reported 3 vulnerabilities in Keystone revocation events. Lance Bragstad discovered that UUID v2 tokens processed by the V3 API are incorrectly updated and get their "issued_at" time regenerated. Brant Knudson discovered that the MySQL token driver stores expiration dates incorrectly which prevents manual revocation and that domain-scoped tokens don't get revoked when the domain is disabled. Tokens impacted by one of these bugs may allow a user to evade token revocation. Only Keystone setups configured to use revocation events are affected. References: https://launchpad.net/bugs/1347961 https://launchpad.net/bugs/1348820 https://launchpad.net/bugs/1349597
There are as yet no CVE- listing at the link at $URL. The first patch under References: is a mismatch to the files of keystone-2014.1.1-r2. Not sure where this one is going.
fixed in sys-auth/keystone-2014.1.2.1
vulnerable removed as well ( sys-auth/keystone-2014.1.1-r2 )
(In reply to Matthew Thode ( prometheanfire ) from comment #3) > vulnerable removed as well ( sys-auth/keystone-2014.1.1-r2 ) Thank you for fix and cleanup. No stabilized versions, closing noglsa.
CVE-2014-5253 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5253): OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 does not properly revoke tokens when a domain is invalidated, which allows remote authenticated users to retain access via a domain-scoped token for that domain. CVE-2014-5252 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5252): The V3 API in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 updates the issued_at value for UUID v2 tokens, which allows remote authenticated users to bypass the token expiration and retain access via a verification (1) GET or (2) HEAD request to v3/auth/tokens/. CVE-2014-5251 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5251): The MySQL token driver in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 stores timestamps with the incorrect precision, which causes the expiration comparison for tokens to fail and allows remote authenticated users to retain access via an expired token.
