Bug 906171 - (CVE-2013-0247) CVE-2013-0247 OpenStack Keystone: denial of service through invalid token requests
CVE-2013-0247 OpenStack Keystone: denial of service through invalid token req...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
Pavel Sedlák
impact=moderate,public=20130205,repor...
: Security
: 889353 (view as bug list)
Depends On: 906173 906174 906178
Blocks: 889355 906189
  Show dependency treegraph
 
Reported: 2013-01-30 23:31 EST by Kurt Seifried
Modified: 2016-04-26 13:11 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-04-23 10:19:34 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
essex-CVE-2013-0247.patch (8.34 KB, patch)
2013-01-30 23:33 EST, Kurt Seifried
no flags Details | Diff
folsom-CVE-2013-0247.patch (8.24 KB, patch)
2013-01-30 23:33 EST, Kurt Seifried
no flags Details | Diff
grizzly-CVE-2013-0247.patch (10.42 KB, patch)
2013-01-30 23:33 EST, Kurt Seifried
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Launchpad 1098307 None None None Never

  None (edit)
Description Kurt Seifried 2013-01-30 23:31:44 EST
Thierry Carrez (thierry@openstack.org) of the OpenStack Project reports:

Title: Keystone denial of service through invalid token requests
Reporter: Dan Prince (Red Hat)
Products: Keystone
Affects: All versions

Description:
Dan Prince of Red Hat reported a vulnerability in token creation error
handling in Keystone. By requesting lots of invalid tokens, an
unauthenticated user may fill up logs on Keystone API servers disks,
potentially resulting in a denial of service attack against Keystone.

Proposed patches:
See attached patches for current development tree (Grizzly) and the
Folsom and Essex series. Unless a flaw is discovered in them, these
proposed patches will be merged to Keystone master, stable/folsom and
stable/essex branches on the public disclosure date.
Comment 1 Kurt Seifried 2013-01-30 23:33:00 EST
Created attachment 690725 [details]
essex-CVE-2013-0247.patch
Comment 2 Kurt Seifried 2013-01-30 23:33:26 EST
Created attachment 690726 [details]
folsom-CVE-2013-0247.patch
Comment 3 Kurt Seifried 2013-01-30 23:33:42 EST
Created attachment 690727 [details]
grizzly-CVE-2013-0247.patch
Comment 9 Kurt Seifried 2013-01-31 15:17:43 EST
*** Bug 889353 has been marked as a duplicate of this bug. ***
Comment 10 Murray McAllister 2013-02-03 21:12:41 EST
Acknowledgements:

This issue was discovered by Dan Prince of Red Hat.
Comment 11 errata-xmlrpc 2013-02-12 12:50:55 EST
This issue has been addressed in following products:

  OpenStack Folsom for RHEL 6

Via RHSA-2013:0253 https://rhn.redhat.com/errata/RHSA-2013-0253.html
Comment 12 Fedora Update System 2013-02-18 02:03:48 EST
openstack-keystone-2012.2.3-2.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2013-03-28 14:38:39 EDT
openstack-keystone-2012.2.3-4.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.