Bug 1239010 (CVE-2015-5143) - CVE-2015-5143 Django: possible DoS by filling session store
Summary: CVE-2015-5143 Django: possible DoS by filling session store
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-5143
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1242350 1242714 1242715 1242716 1242717 1243189 1243190 1243191
Blocks: 1239014
TreeView+ depends on / blocked
 
Reported: 2015-07-03 09:05 UTC by Martin Prpič
Modified: 2021-02-17 05:09 UTC (History)
21 users (show)

Fixed In Version: Django 1.8.3, Django 1.7.9, Django 1.4.21
Doc Type: Bug Fix
Doc Text:
A flaw was found in the Django session backend, which could allow an unauthenticated attacker to create session records in the configured session store, causing a denial of service by filling up the session store.
Clone Of:
Environment:
Last Closed: 2015-08-25 07:25:49 UTC


Attachments (Terms of Use)
session-1.4.x.diff (7.55 KB, text/plain)
2015-07-07 07:56 UTC, Martin Prpič
no flags Details
session-1.7.x.diff (8.75 KB, text/plain)
2015-07-07 07:56 UTC, Martin Prpič
no flags Details
session-1.8.x.diff (10.22 KB, text/plain)
2015-07-07 07:56 UTC, Martin Prpič
no flags Details
session-master.diff (10.22 KB, text/plain)
2015-07-07 07:56 UTC, Martin Prpič
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1678 0 normal SHIPPED_LIVE Moderate: python-django security update 2015-08-25 00:16:41 UTC
Red Hat Product Errata RHSA-2015:1686 0 normal SHIPPED_LIVE Moderate: python-django security update 2015-08-25 09:43:34 UTC

Description Martin Prpič 2015-07-03 09:05:10 UTC
The following flaw was found in Django:

In previous versions of Django, the session backends created a new empty record in the session storage anytime ``request.session`` was accessed and there was a session key provided in the request cookies that didn't already have a session record. This could allow an attacker to easily create many new session records simply by sending repeated requests with unknown session keys, potentially filling up the session store or causing other users' session records to be evicted.

The built-in session backends now create a session record only if the session is actually modified; empty session records are not created. Thus this potential DoS is now only possible if the site chooses to expose a session-modifying view to anonymous users.

As each built-in session backend was fixed separately (rather than a fix in the core sessions framework), maintainers of third-party session backends should check whether the same vulnerability is present in their backend and correct it if so.

Acknowledgements:

Red Hat would like to thank the upstream Django project for reporting this issue.

Comment 1 Martin Prpič 2015-07-07 07:56:18 UTC
Created attachment 1049122 [details]
session-1.4.x.diff

Comment 2 Martin Prpič 2015-07-07 07:56:21 UTC
Created attachment 1049123 [details]
session-1.7.x.diff

Comment 3 Martin Prpič 2015-07-07 07:56:24 UTC
Created attachment 1049124 [details]
session-1.8.x.diff

Comment 4 Martin Prpič 2015-07-07 07:56:27 UTC
Created attachment 1049125 [details]
session-master.diff

Comment 5 Kurt Seifried 2015-07-09 04:38:12 UTC
This is now public: https://www.djangoproject.com/weblog/2015/jul/08/security-releases/

Comment 7 Garth Mollett 2015-07-14 03:09:32 UTC
Created Django14 tracking bugs for this issue:

Affects: epel-6 [bug 1242717]

Comment 8 Garth Mollett 2015-07-14 03:09:36 UTC
Created python-django tracking bugs for this issue:

Affects: openstack-rdo [bug 1242714]
Affects: fedora-all [bug 1242715]
Affects: epel-7 [bug 1242716]

Comment 10 Fedora Update System 2015-07-23 08:54:34 UTC
python-django-1.8.3-1.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2015-08-05 05:31:30 UTC
python-django-1.6.11-2.el7 has been pushed to the Fedora EPEL 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 errata-xmlrpc 2015-08-24 20:16:55 UTC
This issue has been addressed in the following products:

  OpenStack 6 for RHEL 7

Via RHSA-2015:1678 https://rhn.redhat.com/errata/RHSA-2015-1678.html

Comment 13 errata-xmlrpc 2015-08-25 05:43:44 UTC
This issue has been addressed in the following products:

  OpenStack 5 for RHEL 6
  OpenStack 5 for RHEL 7

Via RHSA-2015:1686 https://rhn.redhat.com/errata/RHSA-2015-1686.html


Note You need to log in before you can comment on or make changes to this bug.