I asked about this CVE’s relationship to the previous CVE-2012-3426. Both of these CVE’s relate to token expiration in keystone. I got this response from Russel Bryant at RedHat.
“It’s related, but not the same. That CVE did not include this
specific issue (existing tokens including roles that may have since
been revoked). It was for some other problems around token
expiration, though.” – Russel Bryant.
So in case you were curious, as was I. There you have it.
Also from Dolph Mathews ( Reporter ):
“Ryan Lane deserves recognition for originally identifying this as a potential vulnerability. Thanks Ryan!” – Dolph Mathews
OpenStack Security Advisory: 2012-014
Date: September 12, 2012
Title: Revoking a role does not affect existing tokens
Reporter: Dolph Mathews (Rackspace)
Affects: Essex, Folsom
Dolph Mathews reported a vulnerability in Keystone. Granting and
revoking roles from a user is not reflected upon token validation for
pre-existing tokens. Pre-existing tokens continue to be valid for the
original set of roles for the remainder of the token’s lifespan, or
until explicitly invalidated. This fix invalidates all tokens held by
a user upon role grant/revoke to circumvent the issue.
This fix will be included in the future Keystone 2012.1.3 stable
update and the upcoming Folsom-RC1 development milestone.