CVE-2013-4294

Related Files

Ubuntu Security Notice USN-2002-1

Posted Oct 23, 2013

Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 2002-1 - Chmouel Boudjnah discovered that Keystone did not properly invalidate user tokens when a tenant was disabled which allowed an authenticated user to retain access via the token. Kieran Spear discovered that Keystone did not properly verify PKI tokens when performing revocation when using the memcache and KVS backends. An authenticated attacker could exploit this to bypass intended access restrictions. Various other issues were also addressed.

tags | advisory

systems | linux, ubuntu

advisories | CVE-2013-4222, CVE-2013-4294, CVE-2013-4222, CVE-2013-4294

SHA-256 | f6c7d78a98e19bff9d96af24e8f2c061c076b9f02b37bf3bb46129464f18077f

Download | Favorite | View

Red Hat Security Advisory 2013-1285-01

Posted Sep 25, 2013

Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2013-1285-01 - The openstack-keystone packages provide Keystone, a Python implementation of the OpenStack identity service API, which provides Identity, Token, Catalog, and Policy services. It was found that Keystone did not correctly handle revoked PKI tokens, allowing users with revoked tokens to retain access to resources they should no longer be able to access. This issue only affected systems using PKI tokens with the memcache or KVS token back ends.

tags | advisory, python

systems | linux, redhat

advisories | CVE-2013-4294

SHA-256 | 28df121d2a467014fbdbd4c61516f0f6cb586350418bb55edb71c88884ec877e

Download | Favorite | View