Red Hat Bugzilla – Bug 909012
CVE-2013-0270 OpenStack Keystone: Large HTTP request DoS
Last modified: 2016-04-26 10:07:15 EDT
Dan Prince (email@example.com) reports:
When long tenant_name is sent few times when requesting token, responsiveness
of service decreases until finally it requests ends with MemoryError.
keystoneclient.exceptions.AuthorizationFailure: Authorization Failed: Unable
to communicate with identity service: Traceback ... MemoryError
Includes whole traceback.
Memory on keystone host is used up keystone-all process.
Also during processing of the request CPU utilization raises for a long time
(when and after the first MemoryError state was reached) - like for more than
10 seconds keystone-all can take whole cpu.
Version-Release number of selected component (if applicable):
Name : openstack-keystone
Arch : noarch
Version : 2012.2.1
Release : 3.el6ost
Use something similiar to following python example few times (5 times with
"len(tenant) == 195000000" for keystone host inside VM with 4GB of RAM)
For first few tries service correctly responds with:
(HTTP 400): Authorization Failed: Request attribute tenantName must be less
than or equal to 64. The server could not comply with the request because the
attribute size is invalid (too large). The client is assumed to be in error.
(HTTP 500): Authorization Failed: Unable to communicate with identity service:
Traceback (most recent call last):
... whole backtrace here
Most memory of keystone host is used by keystone-all process.
The first 400 error mentioning that attribute is too big for all request (not
only first few). And not such a big impact on memory of host.
Similiar to bug #906178 and so also to related upstream bug
https://bugs.launchpad.net/keystone/+bug/1098307 where they mentioned
preparation of general check/defense for too big requests.
This is public: https://bugs.launchpad.net/keystone/+bug/1099025
Relevant upstream patch against the master branch:
Kurt: The pipeline change you link above would fix this... but is sort of a new features. I think this commit (already on Folsom stable) is more backportable:
(In reply to comment #4)
And this is in openstack-keystone-2012.2.1-3.el6ost just published.
(In reply to comment #3)
> Relevant upstream patch against the master branch:
This was proposed for stable/folsom but did not pass review:
This issue was discovered by Dan Prince of Red Hat.
This issue has been addressed in following products:
OpenStack Folsom for RHEL 6
Via RHSA-2013:0708 https://rhn.redhat.com/errata/RHSA-2013-0708.html