Bug 821201 - VUL-1: CVE-2013-2104: openstack-keystone: Missing expiration check in Keystone PKI token validation
VUL-1: CVE-2013-2104: openstack-keystone: Missing expiration check in Keyston...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Security Team bot
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-05-22 12:38 UTC by Matthias Weckbecker
Modified: 2013-09-27 12:05 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 3 Swamp Workflow Management 2013-05-22 22:00:17 UTC
bugbot adjusting priority
Comment 4 Marcus Meissner 2013-05-31 14:43:56 UTC
public
Comment 5 Marcus Meissner 2013-05-31 14:44:21 UTC
public

OpenStack Security Advisory: 2013-014
CVE: CVE-2013-2104
Date: May 28, 2013
Title: Missing expiration check in Keystone PKI tokens validation
Reporter: Eoghan Glynn (Red Hat), Alex Meade (Rackspace)
Products/Affects: Keystone (Folsom only), python-keystoneclient (0.2.0+)

Description:
Eoghan Glynn from Red Hat and Alex Meade from Rackspace both reported a
vulnerability in expiry checks for PKI tokens in the Keystone
authentication middleware. Expired tokens for authenticated users could
continue to be used, potentially resulting in the bypass of intended
security policies. The effect of PKI token revocation is also reversed
when the token expires, in the sense that a revoked token is once again
treated as being valid. Only setups using PKI tokens are affected.

Note:
The affected code was added to Keystone in the Folsom release, but was
moved to python-keystoneclient during the Grizzly development cycle.

python-keystoneclient fix (will be included in upcoming 0.2.4 release):
https://review.openstack.org/#/c/30742/

Keystone (Folsom) fix:
https://review.openstack.org/#/c/30743/

References:
https://bugs.launchpad.net/python-keystoneclient/+bug/1179615
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-2104

- -- 
Thierry Carrez (ttx)
OpenStack Vulnerability Management Team
Comment 7 Vincent Untz 2013-06-17 03:00:05 UTC
Fix for openSUSE 12.3 submitted in sr#179261.
Comment 8 Swamp Workflow Management 2013-06-27 09:04:22 UTC
openSUSE-SU-2013:1089-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 821201,823783
CVE References: CVE-2013-2104,CVE-2013-2157
Sources used:
openSUSE 12.3 (src):    openstack-keystone-2012.2.4+git.1363796849.255b1d4-3.16.1, openstack-keystone-doc-2012.2.4+git.1363796849.255b1d4-3.16.1
Comment 12 Marcus Meissner 2013-09-27 12:05:10 UTC
so fixed