Your submission was sent successfully! Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2012-4413

Publication date 13 September 2012

Last updated 24 July 2024

Ubuntu priority

Medium

Why this priority?

OpenStack Keystone 2012.1.3 does not invalidate existing tokens when granting or revoking roles, which allows remote authenticated users to retain the privileges of the revoked roles.

From the Ubuntu Security Team

Dolph Mathews discovered that when roles are granted and revoked to users in Keystone, pre-existing tokens were not updated or invalidated to take the new roles into account. An attacker could use this to continue to access resources that have been revoked.

Read the notes from the security team

Status

Package Ubuntu Release Status
keystone 12.10 quantal
Not affected
12.04 LTS precise
Fixed 2012.1+stable~20120824-a16a0ab9-0ubuntu2.2
11.10 oneiric Ignored
11.04 natty Not in release
10.04 LTS lucid Not in release
8.04 LTS hardy Not in release

Notes

jdstrand

2012.2~rc1-0ubuntu1 on 12.10 includes the fixes Keystone on 11.10 is a pre-release version and unusable with other components such as nova and horizon

References

Related Ubuntu Security Notices (USN)

    • USN-1564-1
    • OpenStack Keystone vulnerability
    • 13 September 2012

Other references