CVE-2013-4222

OpenStack Identity (Keystone) Folsom, Grizzly 2013.1.3 and earlier, and Havana before havana-3 does not properly revoke user tokens when a tenant is disabled, which allows remote authenticated users to retain access via the token.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
keystone	13.10 saucy	Not affected
	13.04 raring	Fixed 1:2013.1.3-0ubuntu1.1
	12.10 quantal	Fixed 2012.2.4-0ubuntu3.2
	12.04 LTS precise	Not affected
	10.04 LTS lucid	Not in release

Notes

jdstrand

Debian states that the code is not present in Essex (as included in 12.04 LTS) Essex does not invalidate user tokens when a tenant is disabled, but the 'keystone tenant-update --enable false ...' doesn't work to a bug in python-keystoneclient. This bug was fixed in the following commit: https://github.com/openstack/python-keystoneclient/commit/51f6cc6573319f66b6127d5f2b50e57949b59107 but this is not available in Ubuntu 12.04 LTS as of 2013/10/22. Furthermore, on Essex token revocation is not limited to the tenant (this was introduced in https://github.com/openstack/keystone/commit/4e1a0867f9e9f42dd7c2abe3a10ca8a8f7dddce3) and this functionality is required for the deficiency described by this CVE to make any sense. Ignoring on 12.04 LTS since disabling a tenant doesn't work, revocation of users via tenants doesn't work as described in this CVE and because upstream considers this CVE a lack of a feature more than a security vulnerability. test case in the bug

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
keystone	Upstream: https://review.openstack.org/#/c/46381/ Upstream: https://review.openstack.org/46371

References

Related Ubuntu Security Notices (USN)

USN-2002-1
Keystone vulnerabilities
23 October 2013

Status

Notes

Patch details

References

Related Ubuntu Security Notices (USN)

Other references