CVE-2013-4222

Related Files

Red Hat Security Advisory 2013-1524-01

Posted Nov 18, 2013

Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2013-1524-01 - The openstack-keystone packages provide Keystone, a Python implementation of the OpenStack identity service API, which provides Identity, Token, Catalog, and Policy services. It was found that tokens issued to a tenant were not invalidated when that tenant was disabled in Keystone. This could allow users assigned to a disabled tenant to retain access to resources they should no longer be able to access. These updated packages have been upgraded to upstream version 2013.1.4, which provides a number of bug fixes over the previous version.

tags | advisory, python

systems | linux, redhat

advisories | CVE-2013-4222

SHA-256 | b24f71928e7f9e525e30eb87c9d89f612ec145a89de4dc93edae2fdb4ed1e42b

Download | Favorite | View

Ubuntu Security Notice USN-2002-1

Posted Oct 23, 2013

Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 2002-1 - Chmouel Boudjnah discovered that Keystone did not properly invalidate user tokens when a tenant was disabled which allowed an authenticated user to retain access via the token. Kieran Spear discovered that Keystone did not properly verify PKI tokens when performing revocation when using the memcache and KVS backends. An authenticated attacker could exploit this to bypass intended access restrictions. Various other issues were also addressed.

tags | advisory

systems | linux, ubuntu

advisories | CVE-2013-4222, CVE-2013-4294, CVE-2013-4222, CVE-2013-4294

SHA-256 | f6c7d78a98e19bff9d96af24e8f2c061c076b9f02b37bf3bb46129464f18077f

Download | Favorite | View