Bug 1201639 - (CVE-2022-2447) VUL-0: CVE-2022-2447: openstack-keystone: Application credential token is valid beyond credentials expiration
(CVE-2022-2447)
VUL-0: CVE-2022-2447: openstack-keystone: Application credential token is val...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/337462/
CVSSv3.1:SUSE:CVE-2022-2447:3.7:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-07-19 10:34 UTC by Hu
Modified: 2022-07-19 12:57 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hu 2022-07-19 10:34:48 UTC
rh#2105419

Description of problem:
Keystone issues tokens with the default lifespan regardless of the lifespan of the application credentials used to issue them.
If the configured lifespan of an identity token is set to be 1h, and the application credentials expire in 1 minute from now, a newly issued token will outlive the application credentials used to issue it by 59 minutes.

How reproducible: 100%

Steps to Reproduce:
1. Create application credentials with short expiration time (e.g. 10 seconds)
2. openstack token issue
--> the returned token has standard expiration, for example 1 hour. The script below confirms that the token continue being valid after the application credentials expired.

```bash
#!/usr/bin/env bash

set -Eeuo pipefail

openstack image create --disk-format=raw --container-format=bare --file <(echo 'I am a Glance image') testimage -f json > image.json

image_url="$(openstack catalog show glance -f json | jq -r '.endpoints[] | select(.interface=="public").url')$(jq -r '.file' image.json)"

openstack application credential create \
	--expiration="$(date --utc --date '+10 second' +%Y-%m-%dT%H:%M:%S)" \
	token_test \
	-f json \
	> appcreds.json

cat <<EOF > clouds.yaml
clouds:
    ${OS_CLOUD}:
        auth:
            auth_url: <auth_url>
            application_credential_id: '$(jq -r '.id' appcreds.json)'
            application_credential_secret: '$(jq -r '.secret' appcreds.json)'
        auth_type: "v3applicationcredential"
        identity_api_version: 3
        interface: public
        region_name: <region_name>
EOF
# Override ~/.config/openstack/secure.yaml
touch secure.yaml

openstack token issue -f json > token.json

echo "appcreds expiration: $(jq -r '.expires_at' appcreds.json)"
for i in {1..10}; do
	sleep 100
	echo -ne "$(date --utc --rfc-3339=seconds)\t"
	curl -isS -H "X-Auth-Token: $(jq -r '.id' token.json)" --url "$image_url" | head -n1
done

```

Actual results (on a cloud with tokens duration of 24h):
appcreds expiration: 2022-07-08T13:55:02.000000
2022-07-08 13:56:38+00:00       HTTP/1.1 200 OK
2022-07-08 13:58:19+00:00       HTTP/1.1 200 OK
2022-07-08 14:00:00+00:00       HTTP/1.1 200 OK
2022-07-08 14:01:42+00:00       HTTP/1.1 200 OK
2022-07-08 14:03:23+00:00       HTTP/1.1 200 OK
2022-07-08 14:05:07+00:00       HTTP/1.1 200 OK
2022-07-08 14:06:49+00:00       HTTP/1.1 200 OK
2022-07-08 14:08:37+00:00       HTTP/1.1 200 OK
2022-07-08 14:10:18+00:00       HTTP/1.1 200 OK
2022-07-08 14:12:00+00:00       HTTP/1.1 200 OK

Expected results:
appcreds expiration: 2022-07-08T13:55:02.000000
2022-07-08 13:54:38+00:00       HTTP/1.1 200 OK
2022-07-08 13:58:19+00:00       HTTP/1.1 401 Unauthorized
2022-07-08 14:00:00+00:00       HTTP/1.1 401 Unauthorized
2022-07-08 14:01:42+00:00       HTTP/1.1 401 Unauthorized
2022-07-08 14:03:23+00:00       HTTP/1.1 401 Unauthorized
2022-07-08 14:05:07+00:00       HTTP/1.1 401 Unauthorized
2022-07-08 14:06:49+00:00       HTTP/1.1 401 Unauthorized
2022-07-08 14:08:37+00:00       HTTP/1.1 401 Unauthorized
2022-07-08 14:10:18+00:00       HTTP/1.1 401 Unauthorized
2022-07-08 14:12:00+00:00       HTTP/1.1 401 Unauthorized

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2105419
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-2447