What is the severity of REDHAT-BUG-2105419?

The severity of REDHAT-BUG-2105419 is currently assessed as medium due to potential unauthorized access from token misuse.

How do I fix REDHAT-BUG-2105419?

To fix REDHAT-BUG-2105419, you should update your OpenStack Keystone to the latest version where this issue has been addressed.

What functionality is affected by REDHAT-BUG-2105419?

REDHAT-BUG-2105419 affects the token issuing process in OpenStack Keystone, causing tokens to have a default lifespan regardless of application credentials.

What versions of Keystone are affected by REDHAT-BUG-2105419?

The specific versions of Keystone affected by REDHAT-BUG-2105419 have not been detailed, so checking your version against the latest release notes is recommended.

Is there a workaround for REDHAT-BUG-2105419?

Currently, there is no documented workaround for REDHAT-BUG-2105419; upgrading to the fixed version is the recommended approach.

Vulnerability/
REDHAT-BUG-2105419

medium

8/7/2022

1/7/2024

REDHAT-BUG-2105419

First published: Fri Jul 08 2022(Updated: )

Description of problem: Keystone issues tokens with the default lifespan regardless of the lifespan of the application credentials used to issue them. If the configured lifespan of an identity token is set to be 1h, and the application credentials expire in 1 minute from now, a newly issued token will outlive the application credentials used to issue it by 59 minutes. How reproducible: 100% Steps to Reproduce: 1. Create application credentials with short expiration time (e.g. 10 seconds) 2. openstack token issue --> the returned token has standard expiration, for example 1 hour. The script below confirms that the token continue being valid after the application credentials expired. ```bash #!/usr/bin/env bash set -Eeuo pipefail openstack image create --disk-format=raw --container-format=bare --file <(echo 'I am a Glance image') testimage -f json > image.json image_url="$(openstack catalog show glance -f json | jq -r '.endpoints[] | select(.interface=="public").url')$(jq -r '.file' image.json)" openstack application credential create \ --expiration="$(date --utc --date '+10 second' +%Y-%m-%dT%H:%M:%S)" \ token_test \ -f json \ > appcreds.json cat <<EOF > clouds.yaml clouds: ${OS_CLOUD}: auth: auth_url: <auth_url> application_credential_id: '$(jq -r '.id' appcreds.json)' application_credential_secret: '$(jq -r '.secret' appcreds.json)' auth_type: "v3applicationcredential" identity_api_version: 3 interface: public region_name: <region_name> EOF # Override ~/.config/openstack/secure.yaml touch secure.yaml openstack token issue -f json > token.json echo "appcreds expiration: $(jq -r '.expires_at' appcreds.json)" for i in {1..10}; do sleep 100 echo -ne "$(date --utc --rfc-3339=seconds)\t" curl -isS -H "X-Auth-Token: $(jq -r '.id' token.json)" --url "$image_url" | head -n1 done ``` Actual results (on a cloud with tokens duration of 24h): appcreds expiration: 2022-07-08T13:55:02.000000 2022-07-08 13:56:38+00:00 HTTP/1.1 200 OK 2022-07-08 13:58:19+00:00 HTTP/1.1 200 OK 2022-07-08 14:00:00+00:00 HTTP/1.1 200 OK 2022-07-08 14:01:42+00:00 HTTP/1.1 200 OK 2022-07-08 14:03:23+00:00 HTTP/1.1 200 OK 2022-07-08 14:05:07+00:00 HTTP/1.1 200 OK 2022-07-08 14:06:49+00:00 HTTP/1.1 200 OK 2022-07-08 14:08:37+00:00 HTTP/1.1 200 OK 2022-07-08 14:10:18+00:00 HTTP/1.1 200 OK 2022-07-08 14:12:00+00:00 HTTP/1.1 200 OK Expected results: appcreds expiration: 2022-07-08T13:55:02.000000 2022-07-08 13:54:38+00:00 HTTP/1.1 200 OK 2022-07-08 13:58:19+00:00 HTTP/1.1 401 Unauthorized 2022-07-08 14:00:00+00:00 HTTP/1.1 401 Unauthorized 2022-07-08 14:01:42+00:00 HTTP/1.1 401 Unauthorized 2022-07-08 14:03:23+00:00 HTTP/1.1 401 Unauthorized 2022-07-08 14:05:07+00:00 HTTP/1.1 401 Unauthorized 2022-07-08 14:06:49+00:00 HTTP/1.1 401 Unauthorized 2022-07-08 14:08:37+00:00 HTTP/1.1 401 Unauthorized 2022-07-08 14:10:18+00:00 HTTP/1.1 401 Unauthorized 2022-07-08 14:12:00+00:00 HTTP/1.1 401 Unauthorized

Affected Software	Affected Version	How to fix
OpenStack keystonemiddleware

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of REDHAT-BUG-2105419?
The severity of REDHAT-BUG-2105419 is currently assessed as medium due to potential unauthorized access from token misuse.
How do I fix REDHAT-BUG-2105419?
To fix REDHAT-BUG-2105419, you should update your OpenStack Keystone to the latest version where this issue has been addressed.
What functionality is affected by REDHAT-BUG-2105419?
REDHAT-BUG-2105419 affects the token issuing process in OpenStack Keystone, causing tokens to have a default lifespan regardless of application credentials.
What versions of Keystone are affected by REDHAT-BUG-2105419?
The specific versions of Keystone affected by REDHAT-BUG-2105419 have not been detailed, so checking your version against the latest release notes is recommended.
Is there a workaround for REDHAT-BUG-2105419?
Currently, there is no documented workaround for REDHAT-BUG-2105419; upgrading to the fixed version is the recommended approach.

agent/type
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2022-2447
agent/last-modified-date
agent/references
agent/severity
agent/first-publish-date
agent/event
agent/description
agent/trending
agent/source
agent/tags
agent/softwarecombine
agent/guess-ai
agent/software-canonical-lookup
agent/software-canonical-lookup-request
vendor/openstack
canonical/openstack keystonemiddleware