Bug 906171 (CVE-2013-0247) - CVE-2013-0247 OpenStack Keystone: denial of service through invalid token requests
Summary: CVE-2013-0247 OpenStack Keystone: denial of service through invalid token req...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2013-0247
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact: Pavel Sedlák
URL:
Whiteboard:
: 889353 (view as bug list)
Depends On: 906173 906174 906178
Blocks: 889355 906189
TreeView+ depends on / blocked
 
Reported: 2013-01-31 04:31 UTC by Kurt Seifried
Modified: 2023-05-12 23:48 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-04-23 14:19:34 UTC
Embargoed:

Attachments (Terms of Use)
essex-CVE-2013-0247.patch (8.34 KB, patch)
2013-01-31 04:33 UTC, Kurt Seifried 		no flags Details | Diff
folsom-CVE-2013-0247.patch (8.24 KB, patch)
2013-01-31 04:33 UTC, Kurt Seifried 		no flags Details | Diff
grizzly-CVE-2013-0247.patch (10.42 KB, patch)
2013-01-31 04:33 UTC, Kurt Seifried 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Launchpad 1098307 0 None None None Never
Red Hat Product Errata RHSA-2013:0253 0 normal SHIPPED_LIVE Moderate: openstack-keystone security and bug fix update 2013-02-12 22:49:18 UTC

Description Kurt Seifried 2013-01-31 04:31:44 UTC 
Thierry Carrez (thierry) of the OpenStack Project reports:

Title: Keystone denial of service through invalid token requests
Reporter: Dan Prince (Red Hat)
Products: Keystone
Affects: All versions

Description:
Dan Prince of Red Hat reported a vulnerability in token creation error
handling in Keystone. By requesting lots of invalid tokens, an
unauthenticated user may fill up logs on Keystone API servers disks,
potentially resulting in a denial of service attack against Keystone.

Proposed patches:
See attached patches for current development tree (Grizzly) and the
Folsom and Essex series. Unless a flaw is discovered in them, these
proposed patches will be merged to Keystone master, stable/folsom and
stable/essex branches on the public disclosure date.
Comment 1 Kurt Seifried 2013-01-31 04:33:00 UTC 
Created attachment 690725 [details]
essex-CVE-2013-0247.patch
Comment 2 Kurt Seifried 2013-01-31 04:33:26 UTC 
Created attachment 690726 [details]
folsom-CVE-2013-0247.patch
Comment 3 Kurt Seifried 2013-01-31 04:33:42 UTC 
Created attachment 690727 [details]
grizzly-CVE-2013-0247.patch
Comment 9 Kurt Seifried 2013-01-31 20:17:43 UTC 
*** Bug 889353 has been marked as a duplicate of this bug. ***
Comment 10 Murray McAllister 2013-02-04 02:12:41 UTC 
Acknowledgements:

This issue was discovered by Dan Prince of Red Hat.
Comment 11 errata-xmlrpc 2013-02-12 17:50:55 UTC 
This issue has been addressed in following products:

  OpenStack Folsom for RHEL 6

Via RHSA-2013:0253 https://rhn.redhat.com/errata/RHSA-2013-0253.html
Comment 12 Fedora Update System 2013-02-18 07:03:48 UTC 
openstack-keystone-2012.2.3-2.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2013-03-28 18:38:39 UTC 
openstack-keystone-2012.2.3-4.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.