Thierry Carrez (thierry) reports: Title: Swift Denial of Service using superfluous object tombstones Reporter: Peter Portante (Red Hat) Products: Swift Affects: All versions Description: Peter Portante from Red Hat reported a vulnerability in Swift. By issuing requests with an old X-Timestamp value, an authenticated attacker can fill an object server with superfluous object tombstones, which may significantly slow down subsequent requests to that object server, facilitating a Denial of Service attack against Swift clusters. Proposed patches: See attached patches. Unless a flaw is discovered in them, these patches will be merged to Swift master (havana), stable/grizzly, and stable/folsom branches on the public disclosure date. A new Swift release (1.9.1) will be cut shortly after to include those patches.
Created attachment 782214 [details] swift-folsom-CVE-2013-4155.patch
Created attachment 782215 [details] swift-grizzly-CVE-2013-4155.patch
Created attachment 782216 [details] swift-master-CVE-2013-4155.patch
openstack-swift-1.8.0-3.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
Acknowledgements: This issue was discovered by Peter Portante of Red Hat.
This issue has been addressed in following products: OpenStack 3 for RHEL 6 Via RHSA-2013:1197 https://rhn.redhat.com/errata/RHSA-2013-1197.html