OpenStack Keystone token verification Security Restriction Bypass Vulnerability

Release date:
Updated on: 2013-05-12

Affected Systems:
Openstack Keystone
Description:
--------------------------------------------------------------------------------
Bugtraq id: 59787
CVE (CAN) ID: CVE-2013-2059
 
OpenStack Keystone is a project that provides identity, Token, directory, and policy services for the OpenStack series.
 
Keystone (Folsom), Keystone (Havana), and Keystone (Grizzly) have security vulnerabilities. After a user is deleted through the Keystone v2 API, the deleted user's token does not expire immediately, so that these users can continue to access the user.
 
<* Source: Sam Stoelinga

Link: https://lists.launchpad.net/openstack/msg23489.html
*>

Suggestion:
--------------------------------------------------------------------------------
Temporary solution:
 
If you cannot install or upgrade the patch immediately, NSFOCUS recommends that you take the following measures to reduce the threat:
 
* Disable the user to be deleted before deleting the user. In this way, the disabled user's token will expire immediately.
 
Vendor patch:
 
Openstack
---------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
 
Http://lists.openstack.org/pipermail/openstack-announce/
 
Havana (development branch) fix:
Https://review.openstack.org/#/c/28677/
 
Grizzly fix:
Https://review.openstack.org/#/c/28678/
 
Folsom fix:
Https://review.openstack.org/#/c/28679/
 
Refer:
Https://bugs.launchpad.net/keystone/+bug/1166670
Http://www.cve.mitre.org/cgi-bin/cvename.cgi? Name = 2013-2059