Thierry Carrez (thierry) of the OpenStack Project reports:
Title: Keystone denial of service through invalid token requests
Reporter: Dan Prince (Red Hat)
Affects: All versions
Dan Prince of Red Hat reported a vulnerability in token creation error
handling in Keystone. By requesting lots of invalid tokens, an
unauthenticated user may fill up logs on Keystone API servers disks,
potentially resulting in a denial of service attack against Keystone.
See attached patches for current development tree (Grizzly) and the
Folsom and Essex series. Unless a flaw is discovered in them, these
proposed patches will be merged to Keystone master, stable/folsom and
stable/essex branches on the public disclosure date.
Created attachment 690725 [details]
Created attachment 690726 [details]
Created attachment 690727 [details]
*** Bug 889353 has been marked as a duplicate of this bug. ***
This issue was discovered by Dan Prince of Red Hat.
This issue has been addressed in following products:
OpenStack Folsom for RHEL 6
Via RHSA-2013:0253 https://rhn.redhat.com/errata/RHSA-2013-0253.html
openstack-keystone-2012.2.3-2.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
openstack-keystone-2012.2.3-4.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.