CVE-2013-4222

Published: 30 September 2013

OpenStack Identity (Keystone) Folsom, Grizzly 2013.1.3 and earlier, and Havana before havana-3 does not properly revoke user tokens when a tenant is disabled, which allows remote authenticated users to retain access via the token.

Priority

Low

Status

Package Release Status
keystone
Launchpad, Ubuntu, Debian
Upstream
Released (1:2013.2~rc4)
Patches:
Upstream: https://review.openstack.org/#/c/46381/ (folsom)
Upstream: https://review.openstack.org/46371 (grizzly)

Notes

AuthorNote
jdstrand
Debian states that the code is not present in Essex (as included in
12.04 LTS)
Essex does not invalidate user tokens when a tenant is disabled,
but the 'keystone tenant-update --enable false ...' doesn't work to a bug in
python-keystoneclient. This bug was fixed in the following commit:
https://github.com/openstack/python-keystoneclient/commit/51f6cc6573319f66b6127d5f2b50e57949b59107
but this is not available in Ubuntu 12.04 LTS as of 2013/10/22. Furthermore,
on Essex token revocation is not limited to the tenant (this was introduced
in https://github.com/openstack/keystone/commit/4e1a0867f9e9f42dd7c2abe3a10ca8a8f7dddce3)
and this functionality is required for the deficiency described by this CVE
to make any sense. Ignoring on 12.04 LTS since disabling a tenant doesn't
work, revocation of users via tenants doesn't work as described in this CVE
and because upstream considers this CVE a lack of a feature more than a
security vulnerability.
test case in the bug

References

Bugs