CVE-2014-5251 - The MySQL token driver in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before J

CVE-2014-5251

Summary

The MySQL token driver in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 stores timestamps with the incorrect precision, which causes the expiration comparison for tokens to fail and allows remote authenticated users to retain access via an expired token.

References

Vulnerable Configurations

cpe:2.3:a:openstack:keystone:2014.1:*:*:*:*:*:*:*
cpe:2.3:a:openstack:keystone:2014.1:*:*:*:*:*:*:*
cpe:2.3:a:openstack:keystone:2014.1.2:*:*:*:*:*:*:*
cpe:2.3:a:openstack:keystone:2014.1.2:*:*:*:*:*:*:*
cpe:2.3:a:openstack:keystone:juno-1:*:*:*:*:*:*:*
cpe:2.3:a:openstack:keystone:juno-1:*:*:*:*:*:*:*
cpe:2.3:a:openstack:keystone:juno-2:*:*:*:*:*:*:*
cpe:2.3:a:openstack:keystone:juno-2:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*

CVSS

Base:	4.9 (as of 10-10-2014 - 05:23)
Impact:
Exploitability:

CWE

CWE-255

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	SINGLE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	NONE

cvss-vector via4

AV:N/AC:M/Au:S/C:P/I:P/A:N

redhat via4

advisories

rhsa
id RHSA-2014:1121
rhsa
id RHSA-2014:1122

rpms

openstack-keystone-0:2014.1.2.1-1.el7ost
openstack-keystone-doc-0:2014.1.2.1-1.el7ost
python-keystone-0:2014.1.2.1-1.el7ost
openstack-keystone-0:2014.1.2.1-2.el6ost
openstack-keystone-doc-0:2014.1.2.1-2.el6ost
python-keystone-0:2014.1.2.1-2.el6ost

refmap via4

misc	https://bugs.launchpad.net/keystone/+bug/1347961
mlist	[oss-security] 20140815 [OSSA 2014-026] Multiple vulnerabilities in Keystone revocation events (CVE-2014-5251, CVE-2014-5252, CVE-2014-5253)
ubuntu	USN-2324-1

Last major update

10-10-2014 - 05:23

Published

25-08-2014 - 14:55

Last modified

10-10-2014 - 05:23