← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1490804] Re: PKI Token Revocation Bypass (CVE-2015-7546)

 

Reviewed:  https://review.openstack.org/258143
Committed: https://git.openstack.org/cgit/openstack/keystonemiddleware/commit/?id=96ab58e6863c92575ada57615b19652e502adfd8
Submitter: Jenkins
Branch:    master

commit 96ab58e6863c92575ada57615b19652e502adfd8
Author: Brant Knudson <bknudson@xxxxxxxxxx>
Date:   Tue Dec 1 16:08:00 2015 -0600

    auth_token verify revocation by audit_id
    
    If the revocation list includes audit_ids, then when doing offline
    validation also validate the token isn't revoked by audit_id.
    
    Closes-Bug: 1490804
    Change-Id: I483bc57bd38eb81a0905bcaf94e4ea82604919d6


** Changed in: keystonemiddleware
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1490804

Title:
  PKI Token Revocation Bypass (CVE-2015-7546)

Status in django-openstack-auth:
  Invalid
Status in OpenStack Identity (keystone):
  Fix Released
Status in keystonemiddleware:
  Fix Released
Status in OpenStack Security Advisory:
  Confirmed
Status in OpenStack Security Notes:
  Fix Released
Status in python-keystoneclient:
  Won't Fix

Bug description:
  A keystone token which has been revoked can still be used by manipulating particular byte fields within the token.
  When a Keystone token is revoked it is added to the revoked list which stores the exact token value. Any API will look at the token to see whether or not it should accept a token. By changing a single byte within the token, the revocation can be bypassed.  see the testing script [1].

  It is suggested that the revocation should be changed to only check
  the token's inner ID.

  [1] http://paste.openstack.org/show/436516/

To manage notifications about this bug go to:
https://bugs.launchpad.net/django-openstack-auth/+bug/1490804/+subscriptions