CVE-2015-7546

Name of the Vulnerable Software and Affected Versions OpenStack Identity (Keystone) versions prior to 2015.1.3 OpenStack Identity (Keystone) versions 8.0.x prior to 8.0.2 keystonemiddleware versions prior to 1.5.4 Liberty versions prior to 2.3.3

Description The issue is related to the improper invalidation of authorization tokens when using the PKI or PKIZ token providers. This allows remote authenticated users to bypass intended access restrictions and gain access to cloud resources by manipulating byte fields within a revoked token.

Recommendations For OpenStack Identity (Keystone) versions prior to 2015.1.3, update to version 2015.1.3 or later. For OpenStack Identity (Keystone) versions 8.0.x prior to 8.0.2, update to version 8.0.2 or later. For keystonemiddleware versions prior to 1.5.4, update to version 1.5.4 or later. For Liberty versions prior to 2.3.3, update to version 2.3.3 or later.