OpenStack Keystone token revocation failure Security Bypass Vulnerability

Release date:
Updated on:

Affected Systems:
Openstack Keystone
Description:
--------------------------------------------------------------------------------
Bugtraq id: 62331
CVE (CAN) ID: CVE-2013-4294

OpenStack Keystone is a project that provides identity, Token, directory, and policy services for the OpenStack series.

Keystone (Folsom and Grizzly) memcache and KVS token backend security vulnerabilities exist. The PKI token revocation list stores the entire token instead of the token ID, and the comparison fails to be triggered, the revoked PKI token is still considered valid. Only Folsom and Grizzly Keystone settings with the backend PKI token of memcache or KVS are affected.

<* Source: Kieran Spear

Link: http://seclists.org/oss-sec/2013/q3/586
*>

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Openstack
---------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Http://lists.openstack.org/pipermail/openstack-announce/

Grizzly fix:
Https://review.openstack.org/#/c/46080/

Folsom fix:
Https://review.openstack.org/#/c/46079/

Refer:
Http://cve.mitre.org/cgi-bin/cvename.cgi? Name = CVE-2013-4294
Https://bugs.launchpad.net/keystone/+bug/1202952

Install and deploy Openstack on Ubuntu 12.10

Ubuntu 12.04 OpenStack Swift single-node deployment Manual