[Openstack-devel] Bug#700240: Vulnerability in OpenStack Keystone
Thomas Goirand
zigo at debian.org
Thu Feb 14 06:33:16 UTC 2013
On 01/30/2013 11:33 PM, Thierry Carrez wrote:
> This is an advance warning of a vulnerability discovered in OpenStack,
> to give you, as downstream stakeholders, a chance to coordinate the
> release of fixes and reduce the vulnerability window. Please treat the
> following information as confidential until the proposed public
> disclosure date (see below).
>
> Title: Keystone denial of service through invalid token requests
> Reporter: Dan Prince (Red Hat)
> Products: Keystone
> Affects: All versions
>
> Description:
> Dan Prince of Red Hat reported a vulnerability in token creation error
> handling in Keystone. By requesting lots of invalid tokens, an
> unauthenticated user may fill up logs on Keystone API servers disks,
> potentially resulting in a denial of service attack against Keystone.
>
> Proposed patches:
> See attached patches for current development tree (Grizzly) and the
> Folsom and Essex series. Unless a flaw is discovered in them, these
> proposed patches will be merged to Keystone master, stable/folsom and
> stable/essex branches on the public disclosure date.
>
> CVE:
> No CVE was assigned yet to those issues, so please let us know what we
> should use.
>
> Proposed public disclosure date/time:
> *Tuesday February 5th, 1500UTC*
> Please do not make the issue public (or release public patches) before
> the coordinated embargo date.
>
> Regards,
Hi Thierry and Dan,
I got very confused about CVE-2013-0247 and CVE-2013-0270.
I have already uploaded the fix for CVE-2013-0247 in Debian SID, and now
I'm trying to understand what CVE-2013-0270 is about. My request about
it in the Openstack development list was left without an answer, so I'm
asking you directly, with Cc: to the already opened Debian bug.
The problem is that the patches I've read for CVE-2013-0270 for Essex
seem to do the exact same thing as the patches for CVE-2013-0247 (in a
slightly different way), and of course, both patches are conflicting.
So, could you please confirm what my guts are telling me, which is that
this patch:
http://anonscm.debian.org/gitweb/?p=openstack/keystone.git;a=commitdiff;h=b6fe7d8c7719996b3b5a8765dee55bb0eb2944df
which fixes CVE-2013-0247 also fixes CVE-2013-0270 which must be a
duplicate of CVE-2013-0247. If this isn't the case, please tell me
what's going on, and what you think I should do to fix Keystone in
Debian Wheezy. I can apply things "by hand" if needed...
Please try to reply in a timely manner (as much as possible of course),
as all this is public already.
Cheers,
Thomas Goirand (zigo)
More information about the Openstack-devel
mailing list