[Bug 988920] Re: Token authentication for a user in a disabled tenant does not raise Unauthorized error
Please review this vulnerability description. Once confirmed, it will go out in an OSSA. Title: Token authorization for a user in a disabled tenant is allowed Impact: High Reporter: Rohit Karajgi (NTT Data) Affects: Essex (prior to 2012.1.2), Folsom (prior to folsom-3 development milestone) Description: Rohit Karajgi reported a vulnerability in Keystone. It was possible to get a token that is authorized for a disabled tenant. Once the token is established with authorization on the tenant, keystone would respond 200 OK to token validation requests from other OpenStack services, allowing the user to work with the tenant's resources. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to keystone in Ubuntu. https://bugs.launchpad.net/bugs/988920 Title: Token authentication for a user in a disabled tenant does not raise Unauthorized error To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/988920/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 988920] Re: Token authentication for a user in a disabled tenant does not raise Unauthorized error
Good description, ack. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to keystone in Ubuntu. https://bugs.launchpad.net/bugs/988920 Title: Token authentication for a user in a disabled tenant does not raise Unauthorized error To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/988920/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 988920] Re: Token authentication for a user in a disabled tenant does not raise Unauthorized error
Description looks good. Maybe add that the fix already shipped in 2012.1.2 and 2012.2. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to keystone in Ubuntu. https://bugs.launchpad.net/bugs/988920 Title: Token authentication for a user in a disabled tenant does not raise Unauthorized error To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/988920/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 988920] Re: Token authentication for a user in a disabled tenant does not raise Unauthorized error
OSSA sent: https://lists.launchpad.net/openstack/msg17035.html -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to keystone in Ubuntu. https://bugs.launchpad.net/bugs/988920 Title: Token authentication for a user in a disabled tenant does not raise Unauthorized error To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/988920/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 988920] Re: Token authentication for a user in a disabled tenant does not raise Unauthorized error
Can a keystone dev comment on the potential security impact of this bug? I'm trying to figure out if we need to go back and issue a security advisory for this. Would this token be successfully validated allowing a user to do stuff with the token they shouldn't have received? ** This bug has been flagged as a security vulnerability -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to keystone in Ubuntu. https://bugs.launchpad.net/bugs/988920 Title: Token authentication for a user in a disabled tenant does not raise Unauthorized error To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/988920/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 988920] Re: Token authentication for a user in a disabled tenant does not raise Unauthorized error
** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-4457 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to keystone in Ubuntu. https://bugs.launchpad.net/bugs/988920 Title: Token authentication for a user in a disabled tenant does not raise Unauthorized error To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/988920/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 988920] Re: Token authentication for a user in a disabled tenant does not raise Unauthorized error
Russell: It's exactly as you describe. In this case, authentication succeeds as expected, but authorization should fail (disabling the tenant should break the user-tenant authorization relationship). Once the token is established with authorization on the tenant, keystone would respond 200 OK to token validation requests from other OpenStack services, allowing the user to work with the tenant's resources -- probably not what the admin had in mind when disabling the tenant! -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to keystone in Ubuntu. https://bugs.launchpad.net/bugs/988920 Title: Token authentication for a user in a disabled tenant does not raise Unauthorized error To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/988920/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 988920] Re: Token authentication for a user in a disabled tenant does not raise Unauthorized error
This bug was fixed in the package keystone - 2012.1+stable~20120824-a16a0ab9-0ubuntu2 --- keystone (2012.1+stable~20120824-a16a0ab9-0ubuntu2) precise-proposed; urgency=low * New upstream release (LP: #1041120): - debian/patches/0013-Flush-tenant-membership-deletion-before-user.patch: Dropped. * Resynchronize with stable/essex: - authenticate in ldap backend doesn't return a list of roles (LP: #1035428) - LDAP should not check username on sn field (LP: #997700) - Admin API doesn't valid token. (LP: #1006815, #1006822) - Memcache token backend eventually stops working. (LP: #1012381) - EC2 credentials not migrated from legacy (diablo) database. (LP: #1016056) - Deleting tenants or users does not cleanup metadata. (LP: #973243) - Deleting tenants does not cleanup its user associations. (LP: #974199) - TokenNotFound not raised in testsuite beacuse of timezone issues. (LP: #983800) - Token authentication for a user in a disabled tenant does not raise Unauthorized error. (LP: #988920) - export_legacy_catalog doesn't convert url names correctly. (LP: #994936) - Following a password compromise and subsequent password change, tokens remain valid. (LP: #996595) - Tokens remain valid after a user account is disabled. (LP: #997194) -- Adam Gandelman ad...@canonical.com Fri, 24 Aug 2012 03:34:59 -0400 ** Changed in: keystone (Ubuntu Precise) Status: Confirmed = Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to keystone in Ubuntu. https://bugs.launchpad.net/bugs/988920 Title: Token authentication for a user in a disabled tenant does not raise Unauthorized error To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/988920/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 988920] Re: Token authentication for a user in a disabled tenant does not raise Unauthorized error
Test coverage log. ** Attachment added: 2012.1+stable~20120824-a16a0ab9-0ubuntu2.log https://bugs.launchpad.net/bugs/988920/+attachment/3283190/+files/2012.1%2Bstable%7E20120824-a16a0ab9-0ubuntu2.log ** Tags added: verification-done -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to keystone in Ubuntu. https://bugs.launchpad.net/bugs/988920 Title: Token authentication for a user in a disabled tenant does not raise Unauthorized error To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/988920/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 988920] Re: Token authentication for a user in a disabled tenant does not raise Unauthorized error
** Changed in: keystone (Ubuntu) Status: New = Fix Released ** Also affects: keystone (Ubuntu Precise) Importance: Undecided Status: New ** Changed in: keystone (Ubuntu Precise) Status: New = Confirmed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to keystone in Ubuntu. https://bugs.launchpad.net/bugs/988920 Title: Token authentication for a user in a disabled tenant does not raise Unauthorized error To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/988920/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 988920] Re: Token authentication for a user in a disabled tenant does not raise Unauthorized error
** Branch linked: lp:ubuntu/precise-proposed/keystone -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to keystone in Ubuntu. https://bugs.launchpad.net/bugs/988920 Title: Token authentication for a user in a disabled tenant does not raise Unauthorized error To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/988920/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
