Bug 839876 - VUL-0: CVE-2013-4294: OSSA-2013-025: openstack-keystone: Token revocation failure using Keystone memcache/KVS backends
VUL-0: CVE-2013-4294: OSSA-2013-025: openstack-keystone: Token revocation fai...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
maint:released:sle11-sp3:55534
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-09-12 09:04 UTC by Alexander Bergmann
Modified: 2014-01-31 16:07 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2013-09-12 09:04:28 UTC
Public via oss-security.

Date: Wed, 11 Sep 2013 17:44:25 +0200
From: Thierry Carrez
Subject: [oss-security] [OSSA 2013-025] Token revocation failure using Keystone memcache/KVS backends (CVE-2013-4294)

OpenStack Security Advisory: 2013-025
CVE: CVE-2013-4294
Date: September 11, 2013
Title: Token revocation failure using Keystone memcache/KVS backends
Reporter: Kieran Spear (University of Melbourne)
Products: Keystone
Affects: Folsom, Grizzly

Description:
Kieran Spear from the University of Melbourne reported a vulnerability
in Keystone memcache and KVS token backends. The PKI token revocation
lists stored the entire token instead of the token ID, triggering
comparison failures, ultimately resulting in revoked PKI tokens still
being considered valid. Only Folsom and Grizzly Keystone setups making
use of PKI tokens with the memcache or KVS token backends are affected.
Havana setups, setups using UUID tokens, or setups using PKI tokens with
the SQL token backend are all unaffected.

Grizzly fix:
https://review.openstack.org/#/c/46080/

Folsom fix:
https://review.openstack.org/#/c/46079/

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4294
https://bugs.launchpad.net/keystone/+bug/1202952
Comment 2 Swamp Workflow Management 2013-09-12 22:00:34 UTC
bugbot adjusting priority
Comment 3 Sascha Peilicke 2013-10-02 11:08:59 UTC
Upstream fix is part of our openstack-keystone package currently in Devel:Cloud:2.0:Staging. Will be part of next update, thus closing.
Comment 5 Sascha Peilicke 2013-12-06 13:29:12 UTC
sr#29776
Comment 7 Swamp Workflow Management 2013-12-17 09:26:23 UTC
The SWAMPID for this issue is 55533.
This issue was rated as moderate.
Please submit fixed packages until 2013-12-31.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 8 Swamp Workflow Management 2014-01-30 17:45:53 UTC
Update released for: openstack-keystone, openstack-keystone-doc, openstack-keystone-test, python-keystone
Products:
SUSE-CLOUD 2.0 (x86_64)
Comment 9 Swamp Workflow Management 2014-01-30 21:05:39 UTC
SUSE-SU-2014:0163-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 837800,839876,843443,848066
CVE References: CVE-2013-4222,CVE-2013-4477
Sources used:
SUSE Cloud 2.0 (src):    openstack-keystone-2013.1.5.a2.g82dcde0-0.7.1, openstack-keystone-doc-2013.1.5.a2.g82dcde0-0.7.1