Published: 30 September 2013
OpenStack Identity (Keystone) Folsom, Grizzly 2013.1.3 and earlier, and Havana before havana-3 does not properly revoke user tokens when a tenant is disabled, which allows remote authenticated users to retain access via the token.
Debian states that the code is not present in Essex (as included in 12.04 LTS) Essex does not invalidate user tokens when a tenant is disabled, but the 'keystone tenant-update --enable false ...' doesn't work to a bug in python-keystoneclient. This bug was fixed in the following commit: https://github.com/openstack/python-keystoneclient/commit/51f6cc6573319f66b6127d5f2b50e57949b59107 but this is not available in Ubuntu 12.04 LTS as of 2013/10/22. Furthermore, on Essex token revocation is not limited to the tenant (this was introduced in https://github.com/openstack/keystone/commit/4e1a0867f9e9f42dd7c2abe3a10ca8a8f7dddce3) and this functionality is required for the deficiency described by this CVE to make any sense. Ignoring on 12.04 LTS since disabling a tenant doesn't work, revocation of users via tenants doesn't work as described in this CVE and because upstream considers this CVE a lack of a feature more than a security vulnerability. test case in the bug