CVE-2022-2447
First published: Fri Jul 08 2022(Updated: )
Description of problem: Keystone issues tokens with the default lifespan regardless of the lifespan of the application credentials used to issue them. If the configured lifespan of an identity token is set to be 1h, and the application credentials expire in 1 minute from now, a newly issued token will outlive the application credentials used to issue it by 59 minutes. How reproducible: 100% Steps to Reproduce: 1. Create application credentials with short expiration time (e.g. 10 seconds) 2. openstack token issue --> the returned token has standard expiration, for example 1 hour. The script below confirms that the token continue being valid after the application credentials expired. ```bash #!/usr/bin/env bash set -Eeuo pipefail openstack image create --disk-format=raw --container-format=bare --file <(echo 'I am a Glance image') testimage -f json > image.json image_url="$(openstack catalog show glance -f json | jq -r '.endpoints[] | select(.interface=="public").url')$(jq -r '.file' image.json)" openstack application credential create \ --expiration="$(date --utc --date '+10 second' +%Y-%m-%dT%H:%M:%S)" \ token_test \ -f json \ > appcreds.json cat <<EOF > clouds.yaml clouds: ${OS_CLOUD}: auth: auth_url: <auth_url> application_credential_id: '$(jq -r '.id' appcreds.json)' application_credential_secret: '$(jq -r '.secret' appcreds.json)' auth_type: "v3applicationcredential" identity_api_version: 3 interface: public region_name: <region_name> EOF # Override ~/.config/openstack/secure.yaml touch secure.yaml openstack token issue -f json > token.json echo "appcreds expiration: $(jq -r '.expires_at' appcreds.json)" for i in {1..10}; do sleep 100 echo -ne "$(date --utc --rfc-3339=seconds)\t" curl -isS -H "X-Auth-Token: $(jq -r '.id' token.json)" --url "$image_url" | head -n1 done ``` Actual results (on a cloud with tokens duration of 24h): appcreds expiration: 2022-07-08T13:55:02.000000 2022-07-08 13:56:38+00:00 HTTP/1.1 200 OK 2022-07-08 13:58:19+00:00 HTTP/1.1 200 OK 2022-07-08 14:00:00+00:00 HTTP/1.1 200 OK 2022-07-08 14:01:42+00:00 HTTP/1.1 200 OK 2022-07-08 14:03:23+00:00 HTTP/1.1 200 OK 2022-07-08 14:05:07+00:00 HTTP/1.1 200 OK 2022-07-08 14:06:49+00:00 HTTP/1.1 200 OK 2022-07-08 14:08:37+00:00 HTTP/1.1 200 OK 2022-07-08 14:10:18+00:00 HTTP/1.1 200 OK 2022-07-08 14:12:00+00:00 HTTP/1.1 200 OK Expected results: appcreds expiration: 2022-07-08T13:55:02.000000 2022-07-08 13:54:38+00:00 HTTP/1.1 200 OK 2022-07-08 13:58:19+00:00 HTTP/1.1 401 Unauthorized 2022-07-08 14:00:00+00:00 HTTP/1.1 401 Unauthorized 2022-07-08 14:01:42+00:00 HTTP/1.1 401 Unauthorized 2022-07-08 14:03:23+00:00 HTTP/1.1 401 Unauthorized 2022-07-08 14:05:07+00:00 HTTP/1.1 401 Unauthorized 2022-07-08 14:06:49+00:00 HTTP/1.1 401 Unauthorized 2022-07-08 14:08:37+00:00 HTTP/1.1 401 Unauthorized 2022-07-08 14:10:18+00:00 HTTP/1.1 401 Unauthorized 2022-07-08 14:12:00+00:00 HTTP/1.1 401 Unauthorized
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| OpenStack Keystone | ||
| Redhat Openstack | =16.1 | |
| Redhat Openstack | =16.2 | |
| Redhat Openstack Platform | =16.1 | |
| Redhat Openstack Platform | =16.2 | |
| Redhat Quay | =3.0.0 | |
| Redhat Storage | =3.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2105419#c1
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2105317
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2105419#c2
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2117920
- https://bugzilla.redhat.com/show_bug.cgi?id=2105419
- https://access.redhat.com/security/cve/CVE-2022-2447
Frequently Asked Questions
What is CVE-2022-2447?
CVE-2022-2447 is a vulnerability found in Keystone that allows a remote administrator to maintain secret access for longer than expected.
What is the severity of CVE-2022-2447?
The severity of CVE-2022-2447 is medium with a CVSS score of 6.6.
Which software is affected by CVE-2022-2447?
The software affected by CVE-2022-2447 includes OpenStack Keystone, Redhat Openstack, Redhat Openstack Platform, Redhat Quay, and Redhat Storage.
How can an attacker exploit CVE-2022-2447?
An attacker can exploit CVE-2022-2447 by taking advantage of the time lag in token revocation in Keystone.
Is there a fix available for CVE-2022-2447?
Yes, a fix is available for CVE-2022-2447. It is recommended to update to the latest version of affected software.
- collector/redhat-bugzilla
- alias/CVE-2022-2447
- collector/nvd-index
- agent/weakness
- agent/author
- agent/severity
- agent/references
- agent/tags
- agent/type
- agent/description
- agent/event
- agent/softwarecombine
- agent/first-publish-date
- agent/last-modified-date
- vendor/openstack
- canonical/openstack keystone
- vendor/redhat
- canonical/redhat openstack
- version/redhat openstack/16.1
- version/redhat openstack/16.2
- canonical/redhat openstack platform
- version/redhat openstack platform/16.1
- version/redhat openstack platform/16.2
- canonical/redhat quay
- version/redhat quay/3.0.0
- canonical/redhat storage
- version/redhat storage/3.0