← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1992183] Re: Openstack: Application credential token remains valid longer than expected (CVE-2022-2447)

 

Reviewed:  https://review.opendev.org/c/openstack/keystone/+/861232
Committed: https://opendev.org/openstack/keystone/commit/8f999d1c1f54a903c1da648ecaa2ce44acdb1fd1
Submitter: "Zuul (22348)"
Branch:    master

commit 8f999d1c1f54a903c1da648ecaa2ce44acdb1fd1
Author: Dave Wilde (d34dh0r53) <dwilde@xxxxxxxxxx>
Date:   Thu Oct 13 15:37:53 2022 -0500

    Limit token expiration to application credential expiration
    
    If a token is issued with an application credential we need to check
    the expiration of the application credential to ensure that the token
    does not outlive the application credential. This ensures that if the
    token expiration is greaten than that of the application credential it
    is reset to the expiration of the application credential and a warning
    is logged. Please see CVE-2022-2447 for more information.
    
    Closes-Bug: 1992183
    Change-Id: If6f9f72cf25769d022a970fac36cead17b2030f2


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1992183

Title:
  Openstack: Application credential token remains valid longer than
  expected (CVE-2022-2447)

Status in OpenStack Identity (keystone):
  Fix Released
Status in OpenStack Security Advisory:
  Incomplete

Bug description:
  Description of problem:
  Keystone issues tokens with the default lifespan regardless of the lifespan of the application credentials used to issue them.
  If the configured lifespan of an identity token is set to be 1h, and the application credentials expire in 1 minute from now, a newly issued token will outlive the application credentials used to issue it by 59 minutes.

  How reproducible: 100%

  Steps to Reproduce:
  1. Create application credentials with short expiration time (e.g. 10 seconds)
  2. openstack token issue
  --> the returned token has standard expiration, for example 1 hour. The script below confirms that the token continue being valid after the application credentials expired.

  ```bash
  #!/usr/bin/env bash

  set -Eeuo pipefail

  openstack image create --disk-format=raw --container-format=bare
  --file <(echo 'I am a Glance image') testimage -f json > image.json

  image_url="$(openstack catalog show glance -f json | jq -r
  '.endpoints[] | select(.interface=="public").url')$(jq -r '.file'
  image.json)"

  openstack application credential create \
  	--expiration="$(date --utc --date '+10 second' +%Y-%m-%dT%H:%M:%S)" \
  	token_test \
  	-f json \
  	> appcreds.json

  cat <<EOF > clouds.yaml
  clouds:
      ${OS_CLOUD}:
          auth:
              auth_url: <auth_url>
              application_credential_id: '$(jq -r '.id' appcreds.json)'
              application_credential_secret: '$(jq -r '.secret' appcreds.json)'
          auth_type: "v3applicationcredential"
          identity_api_version: 3
          interface: public
          region_name: <region_name>
  EOF
  # Override ~/.config/openstack/secure.yaml
  touch secure.yaml

  openstack token issue -f json > token.json

  echo "appcreds expiration: $(jq -r '.expires_at' appcreds.json)"
  for i in {1..10}; do
  	sleep 100
  	echo -ne "$(date --utc --rfc-3339=seconds)\t"
  	curl -isS -H "X-Auth-Token: $(jq -r '.id' token.json)" --url "$image_url" | head -n1
  done

  ```

  Actual results (on a cloud with tokens duration of 24h):
  appcreds expiration: 2022-07-08T13:55:02.000000
  2022-07-08 13:56:38+00:00       HTTP/1.1 200 OK
  2022-07-08 13:58:19+00:00       HTTP/1.1 200 OK
  2022-07-08 14:00:00+00:00       HTTP/1.1 200 OK
  2022-07-08 14:01:42+00:00       HTTP/1.1 200 OK
  2022-07-08 14:03:23+00:00       HTTP/1.1 200 OK
  2022-07-08 14:05:07+00:00       HTTP/1.1 200 OK
  2022-07-08 14:06:49+00:00       HTTP/1.1 200 OK
  2022-07-08 14:08:37+00:00       HTTP/1.1 200 OK
  2022-07-08 14:10:18+00:00       HTTP/1.1 200 OK
  2022-07-08 14:12:00+00:00       HTTP/1.1 200 OK

  Expected results:
  appcreds expiration: 2022-07-08T13:55:02.000000
  2022-07-08 13:54:38+00:00       HTTP/1.1 200 OK
  2022-07-08 13:58:19+00:00       HTTP/1.1 401 Unauthorized
  2022-07-08 14:00:00+00:00       HTTP/1.1 401 Unauthorized
  2022-07-08 14:01:42+00:00       HTTP/1.1 401 Unauthorized
  2022-07-08 14:03:23+00:00       HTTP/1.1 401 Unauthorized
  2022-07-08 14:05:07+00:00       HTTP/1.1 401 Unauthorized
  2022-07-08 14:06:49+00:00       HTTP/1.1 401 Unauthorized
  2022-07-08 14:08:37+00:00       HTTP/1.1 401 Unauthorized
  2022-07-08 14:10:18+00:00       HTTP/1.1 401 Unauthorized
  2022-07-08 14:12:00+00:00       HTTP/1.1 401 Unauthorized

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1992183/+subscriptions



References