CVE 2012-5571
OpenStack Keystone Essex (2012.1) and Folsom (2012.2) does not properly handle EC2 tokens when the user role has been removed from a tenant, which allows remote authenticated users to bypass intended authorization restrictions by leveraging a token for the removed user role.
Related bugs and status
CVE-2012-5571 (Candidate) is related to these bugs:
Bug #1046905: Memcached Token Backend does not support list tokens
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 1046905 | Memcached Token Backend does not support list tokens | OpenStack Identity (keystone) | Critical | Fix Released | ||
| 1046905 | Memcached Token Backend does not support list tokens | OpenStack Identity (keystone) essex | Critical | Fix Released | ||
| 1046905 | Memcached Token Backend does not support list tokens | keystone (Ubuntu) | Undecided | Fix Released | ||
| 1046905 | Memcached Token Backend does not support list tokens | keystone (Ubuntu Precise) | Undecided | Fix Released | ||
Bug #1050025: Token invalidation in case of role grant/revoke should be limited to affected tenant
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 1050025 | Token invalidation in case of role grant/revoke should be limited to affected tenant | OpenStack Identity (keystone) | Medium | Fix Released | ||
| 1050025 | Token invalidation in case of role grant/revoke should be limited to affected tenant | OpenStack Identity (keystone) essex | Medium | Fix Released | ||
| 1050025 | Token invalidation in case of role grant/revoke should be limited to affected tenant | keystone (Ubuntu) | Undecided | Fix Released | ||
| 1050025 | Token invalidation in case of role grant/revoke should be limited to affected tenant | keystone (Ubuntu Precise) | Undecided | Fix Released | ||
Bug #1056373: memcache driver needs protection against unicode user keys
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 1056373 | memcache driver needs protection against unicode user keys | OpenStack Identity (keystone) | Critical | Fix Released | ||
| 1056373 | memcache driver needs protection against unicode user keys | OpenStack Identity (keystone) essex | Critical | Fix Released | ||
| 1056373 | memcache driver needs protection against unicode user keys | keystone (Ubuntu) | Undecided | Fix Released | ||
| 1056373 | memcache driver needs protection against unicode user keys | keystone (Ubuntu Precise) | Undecided | Fix Released | ||
Bug #1060389: Non PKI Tokens longer than 32 characters can never be valid
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 1060389 | Non PKI Tokens longer than 32 characters can never be valid | OpenStack Identity (keystone) | High | Fix Released | ||
| 1060389 | Non PKI Tokens longer than 32 characters can never be valid | OpenStack Identity (keystone) folsom | High | Fix Released | ||
| 1060389 | Non PKI Tokens longer than 32 characters can never be valid | keystone (Ubuntu) | Undecided | Fix Released | ||
| 1060389 | Non PKI Tokens longer than 32 characters can never be valid | keystone (Ubuntu Quantal) | Undecided | Fix Released | ||
Bug #1064914: [OSSA-2012-018] Removing user from a tenant isn't invalidating user access to tenant
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 1064914 | [OSSA-2012-018] Removing user from a tenant isn't invalidating user access to tenant | OpenStack Identity (keystone) | Critical | Fix Released | ||
| 1064914 | [OSSA-2012-018] Removing user from a tenant isn't invalidating user access to tenant | OpenStack Identity (keystone) folsom | Critical | Fix Released | ||
| 1064914 | [OSSA-2012-018] Removing user from a tenant isn't invalidating user access to tenant | OpenStack Identity (keystone) essex | Undecided | Fix Released | ||
| 1064914 | [OSSA-2012-018] Removing user from a tenant isn't invalidating user access to tenant | keystone (Ubuntu) | Undecided | Fix Released | ||
| 1064914 | [OSSA-2012-018] Removing user from a tenant isn't invalidating user access to tenant | keystone (Ubuntu Quantal) | Undecided | Fix Released | ||
| 1064914 | [OSSA-2012-018] Removing user from a tenant isn't invalidating user access to tenant | OpenStack Security Advisory | Undecided | Fix Released | ||
Bug #1068674: Redo part of bp/sql-identiy-pam undone by bug 968519
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 1068674 | Redo part of bp/sql-identiy-pam undone by bug 968519 | OpenStack Identity (keystone) | Undecided | Fix Released | ||
| 1068674 | Redo part of bp/sql-identiy-pam undone by bug 968519 | OpenStack Identity (keystone) folsom | Medium | Fix Released | ||
| 1068674 | Redo part of bp/sql-identiy-pam undone by bug 968519 | keystone (Ubuntu) | Undecided | Fix Released | ||
| 1068674 | Redo part of bp/sql-identiy-pam undone by bug 968519 | keystone (Ubuntu Quantal) | Undecided | Fix Released | ||
Bug #1068851: Openssl tests rely on expired certificate
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 1068851 | Openssl tests rely on expired certificate | OpenStack Identity (keystone) | High | Fix Released | ||
| 1068851 | Openssl tests rely on expired certificate | OpenStack Identity (keystone) folsom | High | Fix Released | ||
| 1068851 | Openssl tests rely on expired certificate | keystone (Ubuntu) | Undecided | Fix Released | ||
| 1068851 | Openssl tests rely on expired certificate | keystone (Ubuntu Quantal) | Undecided | Fix Released | ||
Bug #1073569: Jenkins jobs fail because of incompatibility between sqlalchemy-migrate and the newest sqlalchemy-0.8.0b1
Bug #1078497: keystone throws error when removing user from tenant.
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 1078497 | keystone throws error when removing user from tenant. | OpenStack Identity (keystone) | Critical | Fix Released | ||
| 1078497 | keystone throws error when removing user from tenant. | OpenStack Identity (keystone) folsom | Critical | Fix Released | ||
| 1078497 | keystone throws error when removing user from tenant. | keystone (Ubuntu) | Undecided | Fix Released | ||
| 1078497 | keystone throws error when removing user from tenant. | keystone (Ubuntu Quantal) | Undecided | Fix Released | ||
Bug #1085255: Meta bug for tracking Openstack 2012.2.1 Stable Update
Bug #1089488: Meta bug for tracking Openstack Stable Updates
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 1089488 | Meta bug for tracking Openstack Stable Updates | nova (Ubuntu) | Undecided | Invalid | ||
| 1089488 | Meta bug for tracking Openstack Stable Updates | horizon (Ubuntu) | Undecided | Invalid | ||
| 1089488 | Meta bug for tracking Openstack Stable Updates | keystone (Ubuntu) | Undecided | Invalid | ||
| 1089488 | Meta bug for tracking Openstack Stable Updates | horizon (Ubuntu Precise) | Undecided | Fix Released | ||
| 1089488 | Meta bug for tracking Openstack Stable Updates | keystone (Ubuntu Precise) | Undecided | Fix Released | ||
| 1089488 | Meta bug for tracking Openstack Stable Updates | nova (Ubuntu Precise) | Undecided | Fix Released | ||
| 1089488 | Meta bug for tracking Openstack Stable Updates | glance (Ubuntu) | Undecided | Fix Released | ||
See the 
CVE page on Mitre.org
for more details.
