Bug 1086211 (CVE-2014-2828)

Summary: CVE-2014-2828 openstack-keystone: denial of service via V3 API authentication chaining
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact: Udi Kalifon <ukalifon>
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abaron, aortega, apevec, apevec, ayoung, bfilippov, breu, chazlett, chrisw, d.busby, gkotton, gmollett, itamar, Jan.van.Eldik, jonathansteffan, jose.castro.leon, jrusnack, lhh, markmc, p, rbryant, rhos-maint, sclewis, ukalifon, vdanen, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
A flaw was found in the keystone V3 API. An attacker could send a single request with the same authentication method multiple times, possibly leading to a denial of service due to generating excessive load with minimal requests. Only keystone setups with the V3 API enabled were affected by this issue.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-22 20:08:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1086212, 1086213, 1086214, 1150354    
Bug Blocks: 1086216, 1150355    

Description Murray McAllister 2014-04-10 11:30:18 UTC 
The following was reported to the oss-security list:

Title: Keystone DoS through V3 API authentication chaining
Reporter: Abu Shohel Ahmed (Ericsson)
Products: Keystone
Versions: from 2013.1 to 2013.2.3

Description:
Abu Shohel Ahmed from Ericsson reported a vulnerability in Keystone V3
API authentication. By sending a single request with the same
authentication method multiple times, a remote attacker may generate
unwanted load on the Keystone host, potentially resulting in a Denial of
Service against a Keystone service. Only Keystone setups enabling V3 API
are affected.

References:
https://launchpad.net/bugs/1300274
http://seclists.org/oss-sec/2014/q2/65
https://review.openstack.org/#/c/86024/
https://git.openstack.org/cgit/openstack/keystone/commit/?id=e364ba5b12de8e4c11bd80bcca903f9615dcfc2e
Comment 2 Murray McAllister 2014-04-10 11:32:35 UTC 
Created openstack-keystone tracking bugs for this issue:

Affects: fedora-all [bug 1086212]
Affects: epel-6 [bug 1086213]
Comment 4 Murray McAllister 2014-04-11 05:24:33 UTC 
MITRE assigned CVE-2014-2828 to this issue:

http://seclists.org/oss-sec/2014/q2/88
Comment 5 Fedora Update System 2014-08-07 15:24:13 UTC 
openstack-keystone-2013.2.3-5.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Martin Prpič 2014-10-20 12:10:33 UTC 
IssueDescription:

A flaw was found in the keystone V3 API. An attacker could send a single request with the same authentication method multiple times, possibly leading to a denial of service due to generating excessive load with minimal requests. Only keystone setups with the V3 API enabled were affected by this issue.
Comment 8 errata-xmlrpc 2014-10-22 17:22:26 UTC 
This issue has been addressed in the following products:

  OpenStack 4 for RHEL 6

Via RHSA-2014:1688 https://rhn.redhat.com/errata/RHSA-2014-1688.html