← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1348820] Re: [OSSA 2014-026] Token issued_at time changes on /v3/auth/token GET requests (CVE-2014-5252)

 

** Summary changed:

- Token issued_at time changes on /v3/auth/token GET requests (CVE-2014-5252)
+ [OSSA 2014-026] Token issued_at time changes on /v3/auth/token GET requests (CVE-2014-5252)

** Changed in: ossa
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1348820

Title:
  [OSSA 2014-026] Token issued_at time changes on /v3/auth/token GET
  requests (CVE-2014-5252)

Status in OpenStack Identity (Keystone):
  Fix Committed
Status in Keystone icehouse series:
  Fix Released
Status in OpenStack Security Advisories:
  Fix Released

Bug description:
  Steps to recreate

  1.) Generate a v2.0
  token http://pasteraw.com/37q9v3y80tlydltujo7vwfk7gcabggf

  2.) Pull token from the body of the response and use the /v3/auth/tokens/ GET api call to verify the token
  http://pasteraw.com/3oycofc541dil3d7hkzhihlcxlthqg4

  Notice that the 'issued_at' time of the token has changed.

  3.) Repeat step 2 and notice that the 'issued_at' time of the same token changes again.
  http://pasteraw.com/9wgyrmawewer1ptv5ct58w7pcrfb7zt

  The 'issued_at' time of a token should not change when validating the
  token using /v3/auth/token GET api call.

  This is because the issued_at time is being overwritten on GET here:
  https://github.com/openstack/keystone/blob/83c7805ed3787303f8497bc479469d9071783107/keystone/token/providers/common.py#L319

  This seems like it has been written strictly for POSTs? In the case of
  POST, the issued_at time needs to be generated, in the case of HEAD or
  GET, the issued_at time should already exist.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1348820/+subscriptions


References