PublicDateAtUSN: 2013-09-30 Candidate: CVE-2013-4222 PublicDate: 2013-09-30 22:55:00 UTC References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4222 http://lists.openstack.org/pipermail/openstack-security/2013-August/000263.html https://ubuntu.com/security/notices/USN-2002-1 Description: OpenStack Identity (Keystone) Folsom, Grizzly 2013.1.3 and earlier, and Havana before havana-3 does not properly revoke user tokens when a tenant is disabled, which allows remote authenticated users to retain access via the token. Ubuntu-Description: Notes: jdstrand> Debian states that the code is not present in Essex (as included in 12.04 LTS) jdstrand> Essex does not invalidate user tokens when a tenant is disabled, but the 'keystone tenant-update --enable false ...' doesn't work to a bug in python-keystoneclient. This bug was fixed in the following commit: https://github.com/openstack/python-keystoneclient/commit/51f6cc6573319f66b6127d5f2b50e57949b59107 but this is not available in Ubuntu 12.04 LTS as of 2013/10/22. Furthermore, on Essex token revocation is not limited to the tenant (this was introduced in https://github.com/openstack/keystone/commit/4e1a0867f9e9f42dd7c2abe3a10ca8a8f7dddce3) and this functionality is required for the deficiency described by this CVE to make any sense. Ignoring on 12.04 LTS since disabling a tenant doesn't work, revocation of users via tenants doesn't work as described in this CVE and because upstream considers this CVE a lack of a feature more than a security vulnerability. jdstrand> test case in the bug Bugs: https://bugs.launchpad.net/ossn/+bug/1179955 Priority: low Discovered-by: Chmouel Boudjnah Assigned-to: CVSS: Patches_keystone: upstream: https://review.openstack.org/#/c/46381/ (folsom) upstream: https://review.openstack.org/46371 (grizzly) upstream_keystone: released (1:2013.2~rc4) lucid_keystone: DNE precise_keystone: not-affected quantal_keystone: released (2012.2.4-0ubuntu3.2) raring_keystone: released (1:2013.1.3-0ubuntu1.1) saucy_keystone: not-affected (1:2013.2~rc4-0ubuntu1) devel_keystone: not-affected (1:2013.2~rc4-0ubuntu1)