atom feed1 message in net.launchpad.lists.openstack[Openstack] [OSSA 2013-003] Keystone ...
FromSent OnAttachments
Thierry CarrezFeb 5, 2013 8:21 am 
Subject:[Openstack] [OSSA 2013-003] Keystone denial of service through invalid token requests (CVE-2013-0247)
From:Thierry Carrez (thie@openstack.org)
Date:Feb 5, 2013 8:21:17 am
List:net.launchpad.lists.openstack

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256

OpenStack Security Advisory: 2013-003 CVE: CVE-2013-0247 Date: February 5, 2013 Title: Keystone denial of service through invalid token requests Reporter: Dan Prince (Red Hat) Products: Keystone Affects: All versions

Description: Dan Prince of Red Hat reported a vulnerability in token creation error handling in Keystone. By requesting lots of invalid tokens, an unauthenticated user may fill up logs on Keystone API servers disks, potentially resulting in a denial of service attack against Keystone.

Grizzly (development branch) fix: https://github.com/openstack/keystone/commit/8ec247bf61be0e487332d5d891246d2b7b606989

Folsom fix: https://github.com/openstack/keystone/commit/bb2226f944aaa38beb7fc08ce0a78796e51e2680

Essex fix: https://review.openstack.org/#/c/21216/

References: https://bugs.launchpad.net/keystone/+bug/1098307 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0247

iQIcBAEBCAAGBQJRETGUAAoJEFB6+JAlsQQjbC0QAIzjY1gNe/Lr2X+xDOvz+q2v 7O6Tn2ZV3X1/fgdVbicl4CVnNzkb3mbG1/pIEl7FbpSFfY6a3a8leJZD7u9bKB6z M4xNGXITGJoT7HBo8ABvDH4X6p5oA/LDkuCZVotY4SHa5xIYRcQk884DbnIYoGe7 zXEek352gHgX7m0DmABm8Pz8E+IpyFIp8rdPEv4w9EeVDJmjhZvcgsMhKZmNahph DyBMDvdGY7nXeurzI43tMdWHkqYCljq1qagLqzNxjXJj796FNixUdwnBfmvkRuDI XvNOGQEnwWMdwRhHgQm9C6o9Y8OYnA2XXLxjKhYuNOYT09c2ZPqhITuT1Aka8eg4 Xnqt6OnGLhA8qq0zYfRPGAZFXghQ20NqSDU4CaZntYS9bFUZjQegnKA9qmo2bdJp TbtE/UoZgDAxAvm5n0myHuT2nw75RCM0FWvbKA6VpgK2qikx77rK6/Y5M68F1288 hj7qxMUrbsj0aNBPoWkgpUdIzH3oLsvVq4tRxhSUGj06UIOtXo9QVpxRjmOU46eM HKKL0n2Gfmi+kXgJfUdlGeQjlYUnNIx4pljn0RHRwyc5nLGdLUTy6ufnRclYRKSY roS2qlrR+gDkKeHP3JS1zcdFblg/VKrAK5IN+JIeKRbZ+l/g2ghFemoVYjdduR3E IRB0CC4khRi7njgBdDl1 =CzsK -----END PGP SIGNATURE-----