Bug 1239010 (CVE-2015-5143)

Summary: CVE-2015-5143 Django: possible DoS by filling session store
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abaron, aortega, apevec, ayoung, bkearney, cbillett, chrisw, dallan, gkotton, gmollett, kseifried, lhh, lpeer, markmc, mrunge, rbryant, sclewis, security-response-team, tdecacqu, tomckay, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Django 1.8.3, Django 1.7.9, Django 1.4.21 Doc Type: Bug Fix
Doc Text:
A flaw was found in the Django session backend, which could allow an unauthenticated attacker to create session records in the configured session store, causing a denial of service by filling up the session store.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-25 07:25:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1242350, 1242714, 1242715, 1242716, 1242717, 1243189, 1243190, 1243191    
Bug Blocks: 1239014    
Attachments:
Description Flags
session-1.4.x.diff
none
session-1.7.x.diff
none
session-1.8.x.diff
none
session-master.diff none

Description Martin Prpič 2015-07-03 09:05:10 UTC 
The following flaw was found in Django:

In previous versions of Django, the session backends created a new empty record in the session storage anytime ``request.session`` was accessed and there was a session key provided in the request cookies that didn't already have a session record. This could allow an attacker to easily create many new session records simply by sending repeated requests with unknown session keys, potentially filling up the session store or causing other users' session records to be evicted.

The built-in session backends now create a session record only if the session is actually modified; empty session records are not created. Thus this potential DoS is now only possible if the site chooses to expose a session-modifying view to anonymous users.

As each built-in session backend was fixed separately (rather than a fix in the core sessions framework), maintainers of third-party session backends should check whether the same vulnerability is present in their backend and correct it if so.

Acknowledgements:

Red Hat would like to thank the upstream Django project for reporting this issue.
Comment 1 Martin Prpič 2015-07-07 07:56:18 UTC 
Created attachment 1049122 [details]
session-1.4.x.diff
Comment 2 Martin Prpič 2015-07-07 07:56:21 UTC 
Created attachment 1049123 [details]
session-1.7.x.diff
Comment 3 Martin Prpič 2015-07-07 07:56:24 UTC 
Created attachment 1049124 [details]
session-1.8.x.diff
Comment 4 Martin Prpič 2015-07-07 07:56:27 UTC 
Created attachment 1049125 [details]
session-master.diff
Comment 5 Kurt Seifried 2015-07-09 04:38:12 UTC 
This is now public: https://www.djangoproject.com/weblog/2015/jul/08/security-releases/
Comment 7 Garth Mollett 2015-07-14 03:09:32 UTC 
Created Django14 tracking bugs for this issue:

Affects: epel-6 [bug 1242717]
Comment 8 Garth Mollett 2015-07-14 03:09:36 UTC 
Created python-django tracking bugs for this issue:

Affects: openstack-rdo [bug 1242714]
Affects: fedora-all [bug 1242715]
Affects: epel-7 [bug 1242716]
Comment 10 Fedora Update System 2015-07-23 08:54:34 UTC 
python-django-1.8.3-1.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2015-08-05 05:31:30 UTC 
python-django-1.6.11-2.el7 has been pushed to the Fedora EPEL 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 errata-xmlrpc 2015-08-24 20:16:55 UTC 
This issue has been addressed in the following products:

  OpenStack 6 for RHEL 7

Via RHSA-2015:1678 https://rhn.redhat.com/errata/RHSA-2015-1678.html
Comment 13 errata-xmlrpc 2015-08-25 05:43:44 UTC 
This issue has been addressed in the following products:

  OpenStack 5 for RHEL 6
  OpenStack 5 for RHEL 7

Via RHSA-2015:1686 https://rhn.redhat.com/errata/RHSA-2015-1686.html