← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #94672

[Bug 1992183] Re: Openstack: Application credential token remains valid longer than expected (CVE-2022-2447)

  Thread PreviousDate PreviousThread Next 
Given this report is 2 years old and it's been a year since fixes ended
up in some stable point releases while other stable branches didn't get
them merged until after they reached end of normal maintenance, it
doesn't seem to rise to the level of urgency where we'd issue an OSSA,
particularly a year after the fact. As such, I'm closing the Security
Advisory task as Won't Fix, but if there are any dissenting opinions I'm
happy to reopen and revisit that decision.

** Changed in: ossa
       Status: Incomplete => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1992183

Title:
  Openstack: Application credential token remains valid longer than
  expected (CVE-2022-2447)

Status in OpenStack Identity (keystone):
  Fix Released
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  Description of problem:
  Keystone issues tokens with the default lifespan regardless of the lifespan of the application credentials used to issue them.
  If the configured lifespan of an identity token is set to be 1h, and the application credentials expire in 1 minute from now, a newly issued token will outlive the application credentials used to issue it by 59 minutes.

  How reproducible: 100%

  Steps to Reproduce:
  1. Create application credentials with short expiration time (e.g. 10 seconds)
  2. openstack token issue
  --> the returned token has standard expiration, for example 1 hour. The script below confirms that the token continue being valid after the application credentials expired.

  ```bash
  #!/usr/bin/env bash

  set -Eeuo pipefail

  openstack image create --disk-format=raw --container-format=bare
  --file <(echo 'I am a Glance image') testimage -f json > image.json

  image_url="$(openstack catalog show glance -f json | jq -r
  '.endpoints[] | select(.interface=="public").url')$(jq -r '.file'
  image.json)"

  openstack application credential create \
  	--expiration="$(date --utc --date '+10 second' +%Y-%m-%dT%H:%M:%S)" \
  	token_test \
  	-f json \
  	> appcreds.json

  cat <<EOF > clouds.yaml
  clouds:
      ${OS_CLOUD}:
          auth:
              auth_url: <auth_url>
              application_credential_id: '$(jq -r '.id' appcreds.json)'
              application_credential_secret: '$(jq -r '.secret' appcreds.json)'
          auth_type: "v3applicationcredential"
          identity_api_version: 3
          interface: public
          region_name: <region_name>
  EOF
  # Override ~/.config/openstack/secure.yaml
  touch secure.yaml

  openstack token issue -f json > token.json

  echo "appcreds expiration: $(jq -r '.expires_at' appcreds.json)"
  for i in {1..10}; do
  	sleep 100
  	echo -ne "$(date --utc --rfc-3339=seconds)\t"
  	curl -isS -H "X-Auth-Token: $(jq -r '.id' token.json)" --url "$image_url" | head -n1
  done

  ```

  Actual results (on a cloud with tokens duration of 24h):
  appcreds expiration: 2022-07-08T13:55:02.000000
  2022-07-08 13:56:38+00:00       HTTP/1.1 200 OK
  2022-07-08 13:58:19+00:00       HTTP/1.1 200 OK
  2022-07-08 14:00:00+00:00       HTTP/1.1 200 OK
  2022-07-08 14:01:42+00:00       HTTP/1.1 200 OK
  2022-07-08 14:03:23+00:00       HTTP/1.1 200 OK
  2022-07-08 14:05:07+00:00       HTTP/1.1 200 OK
  2022-07-08 14:06:49+00:00       HTTP/1.1 200 OK
  2022-07-08 14:08:37+00:00       HTTP/1.1 200 OK
  2022-07-08 14:10:18+00:00       HTTP/1.1 200 OK
  2022-07-08 14:12:00+00:00       HTTP/1.1 200 OK

  Expected results:
  appcreds expiration: 2022-07-08T13:55:02.000000
  2022-07-08 13:54:38+00:00       HTTP/1.1 200 OK
  2022-07-08 13:58:19+00:00       HTTP/1.1 401 Unauthorized
  2022-07-08 14:00:00+00:00       HTTP/1.1 401 Unauthorized
  2022-07-08 14:01:42+00:00       HTTP/1.1 401 Unauthorized
  2022-07-08 14:03:23+00:00       HTTP/1.1 401 Unauthorized
  2022-07-08 14:05:07+00:00       HTTP/1.1 401 Unauthorized
  2022-07-08 14:06:49+00:00       HTTP/1.1 401 Unauthorized
  2022-07-08 14:08:37+00:00       HTTP/1.1 401 Unauthorized
  2022-07-08 14:10:18+00:00       HTTP/1.1 401 Unauthorized
  2022-07-08 14:12:00+00:00       HTTP/1.1 401 Unauthorized

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1992183/+subscriptions

References

  Thread PreviousDate PreviousThread Next