CVE-2013-1865

Advisory

OpenStack Keystone Folsom (2012.2) does not properly perform revocation checks for Keystone PKI tokens when done through a server, which allows remote attackers to bypass intended access restrictions via a revoked PKI token.
https://review.opendev.org/c/openstack/keystone/+/24906

Affected package

Affected versions

Fixed versions

Vulnerability changelog

OpenStack Keystone Folsom (2012.2) does not properly perform revocation checks for Keystone PKI tokens when done through a server, which allows remote attackers to bypass intended access restrictions via a revoked PKI token.


MLIST:[oss-security] 20130320 [OSSA 2013-009] Keystone PKI tokens online validation bypasses revocation check (CVE-2013-1865): http://www.openwall.com/lists/oss-security/2013/03/20/13
CONFIRM:https://bugs.launchpad.net/keystone/+bug/1129713: https://bugs.launchpad.net/keystone/+bug/1129713
CONFIRM:https://review.openstack.org/#/c/24906/: https://review.openstack.org/#/c/24906/
FEDORA:FEDORA-2013-4590: http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101719.html
REDHAT:RHSA-2013:0708: http://rhn.redhat.com/errata/RHSA-2013-0708.html
SUSE:openSUSE-SU-2013:0565: http://lists.opensuse.org/opensuse-updates/2013-04/msg00000.html
UBUNTU:USN-1772-1: http://www.ubuntu.com/usn/USN-1772-1
BID:58616: http://www.securityfocus.com/bid/58616
OSVDB:91532: http://osvdb.org/91532
SECUNIA:52657: http://secunia.com/advisories/52657

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1865
• https://review.openstack.org/#/c/24906/
• http://www.securityfocus.com/bid/58616
• https://bugs.launchpad.net/keystone/+bug/1129713
• http://www.ubuntu.com/usn/USN-1772-1
• http://osvdb.org/91532
• http://www.openwall.com/lists/oss-security/2013/03/20/13
• http://secunia.com/advisories/52657
• http://lists.opensuse.org/opensuse-updates/2013-04/msg00000.html
• http://rhn.redhat.com/errata/RHSA-2013-0708.html
• http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101719.html