Blk-U

**Name of the Vulnerable Software and Affected Versions** OpenStack keystonemiddleware versions prior to 1.6.0 python-keystoneclient versions prior to 1.4.0 **Description** The issue allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate when the `insecure` option is set in a paste configuration file, regardless of its value. This is due to the s3 token middleware disabling certification verification. **Recommendations** For OpenStack keystonemiddleware versions prior to 1.6.0, update to version 1.6.0 or later to resolve the issue. For python-keystoneclient versions prior to 1.4.0, update to version 1.4.0 or later to resolve the issue. As a temporary workaround, consider removing the `insecure` option from the paste configuration file to prevent the disabling of certification verification.

**Name of the Vulnerable Software and Affected Versions** OpenStack Identity (Keystone) versions 2014.1.x before 2014.1.2.1 OpenStack Identity (Keystone) version Juno before Juno-3 **Description** The issue is related to the MySQL token driver in OpenStack Identity (Keystone), where timestamps are stored with incorrect precision. This causes the expiration comparison for tokens to fail, allowing remote authenticated users to retain access via an expired token. **Recommendations** For OpenStack Identity (Keystone) versions 2014.1.x before 2014.1.2.1, update to version 2014.1.2.1 or later to resolve the issue. For OpenStack Identity (Keystone) version Juno before Juno-3, update to Juno-3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** OpenStack Identity (Keystone) versions 2014.1.x before 2014.1.2.1 OpenStack Identity (Keystone) version Juno before Juno-3 **Description** The issue allows remote authenticated users to retain access via a domain-scoped token for an invalidated domain. This occurs because OpenStack Identity (Keystone) does not properly revoke tokens when a domain is invalidated. **Recommendations** For OpenStack Identity (Keystone) versions 2014.1.x before 2014.1.2.1, update to version 2014.1.2.1 or later to resolve the issue. For OpenStack Identity (Keystone) version Juno before Juno-3, update to Juno-3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** OpenStack Identity (Keystone) versions Grizzly through Havana **Description** The issue in OpenStack Identity (Keystone) allows local users to gain privileges by adding a role to a user when removing a role on a tenant for a user who does not have that role. **Recommendations** For OpenStack Identity (Keystone) versions Grizzly through Havana, consider restricting access to the LDAP backend until a fix is available. As a temporary workaround, manually review and correct user roles after removal to prevent unintended privilege escalation.