yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #90107
[Bug 1992183] Re: Openstack: Application credential token remains valid longer than expected (CVE-2022-2447)
Reviewed: https://review.opendev.org/c/openstack/keystone/+/861232
Committed: https://opendev.org/openstack/keystone/commit/8f999d1c1f54a903c1da648ecaa2ce44acdb1fd1
Submitter: "Zuul (22348)"
Branch: master
commit 8f999d1c1f54a903c1da648ecaa2ce44acdb1fd1
Author: Dave Wilde (d34dh0r53) <dwilde@xxxxxxxxxx>
Date: Thu Oct 13 15:37:53 2022 -0500
Limit token expiration to application credential expiration
If a token is issued with an application credential we need to check
the expiration of the application credential to ensure that the token
does not outlive the application credential. This ensures that if the
token expiration is greaten than that of the application credential it
is reset to the expiration of the application credential and a warning
is logged. Please see CVE-2022-2447 for more information.
Closes-Bug: 1992183
Change-Id: If6f9f72cf25769d022a970fac36cead17b2030f2
** Changed in: keystone
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1992183
Title:
Openstack: Application credential token remains valid longer than
expected (CVE-2022-2447)
Status in OpenStack Identity (keystone):
Fix Released
Status in OpenStack Security Advisory:
Incomplete
Bug description:
Description of problem:
Keystone issues tokens with the default lifespan regardless of the lifespan of the application credentials used to issue them.
If the configured lifespan of an identity token is set to be 1h, and the application credentials expire in 1 minute from now, a newly issued token will outlive the application credentials used to issue it by 59 minutes.
How reproducible: 100%
Steps to Reproduce:
1. Create application credentials with short expiration time (e.g. 10 seconds)
2. openstack token issue
--> the returned token has standard expiration, for example 1 hour. The script below confirms that the token continue being valid after the application credentials expired.
```bash
#!/usr/bin/env bash
set -Eeuo pipefail
openstack image create --disk-format=raw --container-format=bare
--file <(echo 'I am a Glance image') testimage -f json > image.json
image_url="$(openstack catalog show glance -f json | jq -r
'.endpoints[] | select(.interface=="public").url')$(jq -r '.file'
image.json)"
openstack application credential create \
--expiration="$(date --utc --date '+10 second' +%Y-%m-%dT%H:%M:%S)" \
token_test \
-f json \
> appcreds.json
cat <<EOF > clouds.yaml
clouds:
${OS_CLOUD}:
auth:
auth_url: <auth_url>
application_credential_id: '$(jq -r '.id' appcreds.json)'
application_credential_secret: '$(jq -r '.secret' appcreds.json)'
auth_type: "v3applicationcredential"
identity_api_version: 3
interface: public
region_name: <region_name>
EOF
# Override ~/.config/openstack/secure.yaml
touch secure.yaml
openstack token issue -f json > token.json
echo "appcreds expiration: $(jq -r '.expires_at' appcreds.json)"
for i in {1..10}; do
sleep 100
echo -ne "$(date --utc --rfc-3339=seconds)\t"
curl -isS -H "X-Auth-Token: $(jq -r '.id' token.json)" --url "$image_url" | head -n1
done
```
Actual results (on a cloud with tokens duration of 24h):
appcreds expiration: 2022-07-08T13:55:02.000000
2022-07-08 13:56:38+00:00 HTTP/1.1 200 OK
2022-07-08 13:58:19+00:00 HTTP/1.1 200 OK
2022-07-08 14:00:00+00:00 HTTP/1.1 200 OK
2022-07-08 14:01:42+00:00 HTTP/1.1 200 OK
2022-07-08 14:03:23+00:00 HTTP/1.1 200 OK
2022-07-08 14:05:07+00:00 HTTP/1.1 200 OK
2022-07-08 14:06:49+00:00 HTTP/1.1 200 OK
2022-07-08 14:08:37+00:00 HTTP/1.1 200 OK
2022-07-08 14:10:18+00:00 HTTP/1.1 200 OK
2022-07-08 14:12:00+00:00 HTTP/1.1 200 OK
Expected results:
appcreds expiration: 2022-07-08T13:55:02.000000
2022-07-08 13:54:38+00:00 HTTP/1.1 200 OK
2022-07-08 13:58:19+00:00 HTTP/1.1 401 Unauthorized
2022-07-08 14:00:00+00:00 HTTP/1.1 401 Unauthorized
2022-07-08 14:01:42+00:00 HTTP/1.1 401 Unauthorized
2022-07-08 14:03:23+00:00 HTTP/1.1 401 Unauthorized
2022-07-08 14:05:07+00:00 HTTP/1.1 401 Unauthorized
2022-07-08 14:06:49+00:00 HTTP/1.1 401 Unauthorized
2022-07-08 14:08:37+00:00 HTTP/1.1 401 Unauthorized
2022-07-08 14:10:18+00:00 HTTP/1.1 401 Unauthorized
2022-07-08 14:12:00+00:00 HTTP/1.1 401 Unauthorized
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1992183/+subscriptions
References