Bug 1239010 – CVE-2015-5143 Django: possible DoS by filling session store

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1239010 - (CVE-2015-5143) CVE-2015-5143 Django: possible DoS by filling session store

Summary:	CVE-2015-5143 Django: possible DoS by filling session store

Status:	CLOSED ERRATA

Aliases:	CVE-2015-5143

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20150708,repor...
Keywords:	Security

Depends On:	1242350 1242714 1242715 1242716 1242717 1243189 1243190 1243191
Blocks:	1239014
	Show dependency tree / graph

Reported:	2015-07-03 05:05 EDT by Martin Prpič
Modified:	2016-04-26 09:24 EDT (History)
CC List:	21 users (show)

See Also:
Fixed In Version:	Django 1.8.3, Django 1.7.9, Django 1.4.21
Doc Type:	Bug Fix
Doc Text:	A flaw was found in the Django session backend, which could allow an unauthenticated attacker to create session records in the configured session store, causing a denial of service by filling up the session store.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2015-08-25 03:25:49 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
session-1.4.x.diff (7.55 KB, text/plain) 2015-07-07 03:56 EDT, Martin Prpič	no flags	Details
session-1.7.x.diff (8.75 KB, text/plain) 2015-07-07 03:56 EDT, Martin Prpič	no flags	Details
session-1.8.x.diff (10.22 KB, text/plain) 2015-07-07 03:56 EDT, Martin Prpič	no flags	Details
session-master.diff (10.22 KB, text/plain) 2015-07-07 03:56 EDT, Martin Prpič	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:1678	normal	SHIPPED_LIVE	Moderate: python-django security update	2015-08-24 20:16:41 EDT
Red Hat Product Errata	RHSA-2015:1686	normal	SHIPPED_LIVE	Moderate: python-django security update	2015-08-25 05:43:34 EDT

Groups: None (edit)

Description Martin Prpič 2015-07-03 05:05:10 EDT

The following flaw was found in Django:

In previous versions of Django, the session backends created a new empty record in the session storage anytime ``request.session`` was accessed and there was a session key provided in the request cookies that didn't already have a session record. This could allow an attacker to easily create many new session records simply by sending repeated requests with unknown session keys, potentially filling up the session store or causing other users' session records to be evicted.

The built-in session backends now create a session record only if the session is actually modified; empty session records are not created. Thus this potential DoS is now only possible if the site chooses to expose a session-modifying view to anonymous users.

As each built-in session backend was fixed separately (rather than a fix in the core sessions framework), maintainers of third-party session backends should check whether the same vulnerability is present in their backend and correct it if so.

Acknowledgements:

Red Hat would like to thank the upstream Django project for reporting this issue.

Comment 1 Martin Prpič 2015-07-07 03:56:18 EDT

Created attachment 1049122 [details]
session-1.4.x.diff

Comment 2 Martin Prpič 2015-07-07 03:56:21 EDT

Created attachment 1049123 [details]
session-1.7.x.diff

Comment 3 Martin Prpič 2015-07-07 03:56:24 EDT

Created attachment 1049124 [details]
session-1.8.x.diff

Comment 4 Martin Prpič 2015-07-07 03:56:27 EDT

Created attachment 1049125 [details]
session-master.diff

Comment 5 Kurt Seifried 2015-07-09 00:38:12 EDT

This is now public: https://www.djangoproject.com/weblog/2015/jul/08/security-releases/

Comment 7 Garth Mollett 2015-07-13 23:09:32 EDT

Created Django14 tracking bugs for this issue:

Affects: epel-6 [bug 1242717]

Comment 8 Garth Mollett 2015-07-13 23:09:36 EDT

Created python-django tracking bugs for this issue:

Affects: openstack-rdo [bug 1242714]
Affects: fedora-all [bug 1242715]
Affects: epel-7 [bug 1242716]

Comment 10 Fedora Update System 2015-07-23 04:54:34 EDT

python-django-1.8.3-1.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2015-08-05 01:31:30 EDT

python-django-1.6.11-2.el7 has been pushed to the Fedora EPEL 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 errata-xmlrpc 2015-08-24 16:16:55 EDT

This issue has been addressed in the following products:

  OpenStack 6 for RHEL 7

Via RHSA-2015:1678 https://rhn.redhat.com/errata/RHSA-2015-1678.html

Comment 13 errata-xmlrpc 2015-08-25 01:43:44 EDT

This issue has been addressed in the following products:

  OpenStack 5 for RHEL 6
  OpenStack 5 for RHEL 7

Via RHSA-2015:1686 https://rhn.redhat.com/errata/RHSA-2015-1686.html

Note You need to log in before you can comment on or make changes to this bug.

abaron
aortega
apevec
ayoung
bkearney
cbillett
chrisw
dallan
gkotton
gmollett
kseifried
lhh
lpeer
markmc
mrunge
rbryant
sclewis
security-response-team
tdecacqu
tomckay
yeylon