Bug 1086211 (CVE-2014-2828) - CVE-2014-2828 openstack-keystone: denial of service via V3 API authentication chaining
Summary: CVE-2014-2828 openstack-keystone: denial of service via V3 API authentication...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-2828
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact: Udi
URL:
Whiteboard:
Depends On: 1086212 1086213 1086214 1150354
Blocks: 1086216 1150355
TreeView+ depends on / blocked
 
Reported: 2014-04-10 11:30 UTC by Murray McAllister
Modified: 2019-09-29 13:15 UTC (History)
26 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A flaw was found in the keystone V3 API. An attacker could send a single request with the same authentication method multiple times, possibly leading to a denial of service due to generating excessive load with minimal requests. Only keystone setups with the V3 API enabled were affected by this issue.
Clone Of:
Environment:
Last Closed: 2014-10-22 20:08:41 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:1688 normal SHIPPED_LIVE Important: openstack-keystone security and bug fix update 2014-10-22 21:21:12 UTC

Description Murray McAllister 2014-04-10 11:30:18 UTC
The following was reported to the oss-security list:

Title: Keystone DoS through V3 API authentication chaining
Reporter: Abu Shohel Ahmed (Ericsson)
Products: Keystone
Versions: from 2013.1 to 2013.2.3

Description:
Abu Shohel Ahmed from Ericsson reported a vulnerability in Keystone V3
API authentication. By sending a single request with the same
authentication method multiple times, a remote attacker may generate
unwanted load on the Keystone host, potentially resulting in a Denial of
Service against a Keystone service. Only Keystone setups enabling V3 API
are affected.

References:
https://launchpad.net/bugs/1300274
http://seclists.org/oss-sec/2014/q2/65
https://review.openstack.org/#/c/86024/
https://git.openstack.org/cgit/openstack/keystone/commit/?id=e364ba5b12de8e4c11bd80bcca903f9615dcfc2e

Comment 2 Murray McAllister 2014-04-10 11:32:35 UTC
Created openstack-keystone tracking bugs for this issue:

Affects: fedora-all [bug 1086212]
Affects: epel-6 [bug 1086213]

Comment 4 Murray McAllister 2014-04-11 05:24:33 UTC
MITRE assigned CVE-2014-2828 to this issue:

http://seclists.org/oss-sec/2014/q2/88

Comment 5 Fedora Update System 2014-08-07 15:24:13 UTC
openstack-keystone-2013.2.3-5.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Martin Prpič 2014-10-20 12:10:33 UTC
IssueDescription:

A flaw was found in the keystone V3 API. An attacker could send a single request with the same authentication method multiple times, possibly leading to a denial of service due to generating excessive load with minimal requests. Only keystone setups with the V3 API enabled were affected by this issue.

Comment 8 errata-xmlrpc 2014-10-22 17:22:26 UTC
This issue has been addressed in the following products:

  OpenStack 4 for RHEL 6

Via RHSA-2014:1688 https://rhn.redhat.com/errata/RHSA-2014-1688.html


Note You need to log in before you can comment on or make changes to this bug.