Thierry Carrez (thierry) reports:
Title: Swift Denial of Service using superfluous object tombstones
Reporter: Peter Portante (Red Hat)
Products: Swift
Affects: All versions
Description:
Peter Portante from Red Hat reported a vulnerability in Swift. By
issuing requests with an old X-Timestamp value, an authenticated
attacker can fill an object server with superfluous object tombstones,
which may significantly slow down subsequent requests to that object
server, facilitating a Denial of Service attack against Swift clusters.
Proposed patches:
See attached patches. Unless a flaw is discovered in them, these patches
will be merged to Swift master (havana), stable/grizzly, and
stable/folsom branches on the public disclosure date. A new Swift
release (1.9.1) will be cut shortly after to include those patches.