Bug 1245200 – CVE-2015-5159 python-kdcproxy: Missing request size limit allows denial of service

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1245200 - (CVE-2015-5159) CVE-2015-5159 python-kdcproxy: Missing request size limit allows denial of service

Summary:	CVE-2015-5159 python-kdcproxy: Missing request size limit allows denial of se...

Status:	CLOSED NOTABUG

Aliases:	CVE-2015-5159

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	low Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=low,public=20150721,reported=2...
Keywords:	Security

Depends On:	1249762 1245221 1245222 1245223
Blocks:	1222950 1245256
	Show dependency tree / graph

Reported:	2015-07-21 08:59 EDT by Florian Weimer
Modified:	2016-09-22 06:20 EDT (History)
CC List:	6 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2016-09-19 04:11:06 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Florian Weimer 2015-07-21 08:59:00 EDT

It was discovered that python-kdcproxy did not reject overly large POST
requests in the recommend default configuration, allocating arbitrary
amounts of memory, eventually triggering the OOM killer, leading to a
denial of service.

Acknowledgements:

This issue was discovered by Florian Weimer of Red Hat Product Security.

Comment 1 Florian Weimer 2015-07-21 09:56:10 EDT

Mitigation:

Add “LimitRequestBody 100000” to the <Location> stanza, like this:

    <Location "/KdcProxy">
        Satisfy Any
        Order Deny,Allow
        Allow from all
        WSGIProcessGroup kdcproxy
        WSGIApplicationGroup kdcproxy
        LimitRequestBody 100000
    </Location>

Comment 3 Florian Weimer 2015-07-21 10:02:35 EDT

Created python-kdcproxy tracking bugs for this issue:

Affects: fedora-all [bug 1245223]

Comment 4 Florian Weimer 2015-07-21 10:11:13 EDT

Upstream bug report: https://github.com/npmccallum/kdcproxy/issues/20

Comment 6 Stefan Cornelius 2015-08-03 14:02:32 EDT

Created python-kdcproxy tracking bugs for this issue:

Affects: epel-7 [bug 1249762]

Comment 7 Stefan Cornelius 2015-08-04 03:52:12 EDT

Upstream patches:
https://github.com/npmccallum/kdcproxy/commit/f274aa6787cb8b3ec1cc12c440a56665b7231882
and
https://github.com/npmccallum/kdcproxy/commit/5edbbeb7f950ed9db60b11f0fdce1ec96194f761

Note You need to log in before you can comment on or make changes to this bug.