OSSA-2016-008: Incorrect Audit IDs in Keystone Fernet Tokens can result in revocation bypass
:Date: May 23, 2016
- Keystone: ==9.0.0
Lance Bragstad (Rackspace) reported a vulnerability in the Keystone
Fernet Token Provider. By rescoping a token a user will receive a new
token without correct auditids, these incorrect auditids will
prevent the entire chain of tokens from being revoked properly. This
vulnerability does not impact revoking a token by its individual
audit_id. Only deployments with Keystone configured to use Fernet
tokens are impacted.
- https://review.openstack.org/#/c/312582/ (Mitaka)
- https://review.openstack.org/#/c/311886/ (Newton)
- Lance Bragstad from Rackspace (CVE-2016-4911)
- This fix was included in the openstack/keystone 9.0.1 (mitaka) release.
OpenStack Vulnerability Management Team
OpenStack-announce mailing list