Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2012-3426

Overview

Vulnerability Score 4.9 4.9
CVE Id CVE-2012-3426
Last Modified 07 Sep 2012 12:30:35
Published 31 Jul 2012 06:45:42
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication SINGLE_INSTANCE

CVE-2012-3426

Summary

OpenStack Keystone before 2012.1.1, as used in OpenStack Folsom before Folsom-1 and OpenStack Essex, does not properly implement token expiration, which allows remote authenticated users to bypass intended authorization restrictions by (1) creating new tokens through token chaining, (2) leveraging possession of a token for a disabled user account, or (3) leveraging possession of a token for an account with a changed password.

Vulnerable Systems

Application

  • Openstack Essex

  • Openstack Horizon Folsom-1

  • Openstack Keystone 2012.1

  • Openstack Keystone 2012.1.1


References

CONFIRM - https://launchpad.net/keystone/essex/2012.1.1/+download/keystone-2012.1.1.tar.gz

MLIST - [oss-security] 20120727 [OSSA 2012-010] Various Keystone token expiration issues (CVE-2012-3426)

CONFIRM - http://github.com/openstack/keystone/commit/ea03d05ed5de0c015042876100d37a6a14bf56de

CONFIRM - http://github.com/openstack/keystone/commit/628149b3dc6b58b91fd08e6ca8d91c728ccb8626

CONFIRM - http://github.com/openstack/keystone/commit/375838cfceb88cacc312ff6564e64eb18ee6a355

CONFIRM - https://bugs.launchpad.net/keystone/+bug/998185

CONFIRM - https://bugs.launchpad.net/keystone/+bug/997194

CONFIRM - https://bugs.launchpad.net/keystone/+bug/996595

CONFIRM - http://github.com/openstack/keystone/commit/d9600434da14976463a0bd03abd8e0309f0db454

CONFIRM - http://github.com/openstack/keystone/commit/a67b24878a6156eab17b9098fa649f0279256f5d

CONFIRM - http://github.com/openstack/keystone/commit/29e74e73a6e51cffc0371b32354558391826a4aa

UBUNTU - USN-1552-1

SECUNIA - 50494

SECUNIA - 50045


Last Updated: 27 May 2016 10:55:01