Thierry Carrez (firstname.lastname@example.org) reports:
Title: Swift Denial of Service using superfluous object tombstones
Reporter: Peter Portante (Red Hat)
Affects: All versions
Peter Portante from Red Hat reported a vulnerability in Swift. By
issuing requests with an old X-Timestamp value, an authenticated
attacker can fill an object server with superfluous object tombstones,
which may significantly slow down subsequent requests to that object
server, facilitating a Denial of Service attack against Swift clusters.
See attached patches. Unless a flaw is discovered in them, these patches
will be merged to Swift master (havana), stable/grizzly, and
stable/folsom branches on the public disclosure date. A new Swift
release (1.9.1) will be cut shortly after to include those patches.
Created attachment 782214 [details]
Created attachment 782215 [details]
Created attachment 782216 [details]
openstack-swift-1.8.0-3.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
This issue was discovered by Peter Portante of Red Hat.
This issue has been addressed in following products:
OpenStack 3 for RHEL 6
Via RHSA-2013:1197 https://rhn.redhat.com/errata/RHSA-2013-1197.html