Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2014-2237

Overview

Vulnerability Score 5.0 5.0
CVE Id CVE-2014-2237
Last Modified 22 Apr 2015 09:59:24
Published 01 Apr 2014 02:35:53
Confidentiality Impact NONE NONE
Integrity Impact PARTIAL PARTIAL
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2014-2237

Summary

The memcache token backend in OpenStack Identity (Keystone) 2013.1 through 2.013.1.4, 2013.2 through 2013.2.2, and icehouse before icehouse-3, when issuing a trust token with impersonation enabled, does not include this token in the trustee's token-index-list, which prevents the token from being invalidated by bulk token revocation and allows the trustee to bypass intended access restrictions.

Vulnerable Systems

Application

  • Openstack Keystone 2013.1

  • Openstack Keystone 2013.1.1

  • Openstack Keystone 2013.1.2

  • Openstack Keystone 2013.1.3

  • Openstack Keystone 2013.1.4

  • Openstack Keystone 2013.2.2


References

CONFIRM - https://bugs.launchpad.net/keystone/+bug/1260080

MLIST - [oss-security] 20140304 [OSSA 2014-006] Trustee token revocation does not work with memcache backend (CVE-2014-2237)

REDHAT - RHSA-2014:0580

BID - 65895


Last Updated: 27 May 2016 11:04:50