yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1490804] Re: PKI Token Revocation Bypass (CVE-2015-7546)

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1490804@xxxxxxxxxxxxxxxxxx>
Date: Tue, 15 Dec 2015 20:48:37 -0000
Reply-to: Bug 1490804 <1490804@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: keystone
       Status: Won't Fix => In Progress

** Changed in: keystone
     Assignee: Adam Young (ayoung) => Brant Knudson (blk-u)

** Changed in: keystonemiddleware
       Status: Won't Fix => In Progress

** Changed in: keystonemiddleware
     Assignee: Adam Young (ayoung) => Brant Knudson (blk-u)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1490804

Title:
  PKI Token Revocation Bypass (CVE-2015-7546)

Status in django-openstack-auth:
  Invalid
Status in OpenStack Identity (keystone):
  In Progress
Status in keystonemiddleware:
  In Progress
Status in OpenStack Security Advisory:
  Incomplete
Status in OpenStack Security Notes:
  New
Status in python-keystoneclient:
  Won't Fix

Bug description:
  A keystone token which has been revoked can still be used by manipulating particular byte fields within the token.
  When a Keystone token is revoked it is added to the revoked list which stores the exact token value. Any API will look at the token to see whether or not it should accept a token. By changing a single byte within the token, the revocation can be bypassed.  see the testing script [1].

  It is suggested that the revocation should be changed to only check
  the token's inner ID.

  [1] http://paste.openstack.org/show/436516/

To manage notifications about this bug go to:
https://bugs.launchpad.net/django-openstack-auth/+bug/1490804/+subscriptions