Thierry Carrez (thierry) of the OpenStack Project reports: Title: Keystone denial of service through invalid token requests Reporter: Dan Prince (Red Hat) Products: Keystone Affects: All versions Description: Dan Prince of Red Hat reported a vulnerability in token creation error handling in Keystone. By requesting lots of invalid tokens, an unauthenticated user may fill up logs on Keystone API servers disks, potentially resulting in a denial of service attack against Keystone. Proposed patches: See attached patches for current development tree (Grizzly) and the Folsom and Essex series. Unless a flaw is discovered in them, these proposed patches will be merged to Keystone master, stable/folsom and stable/essex branches on the public disclosure date.
Created attachment 690725 [details] essex-CVE-2013-0247.patch
Created attachment 690726 [details] folsom-CVE-2013-0247.patch
Created attachment 690727 [details] grizzly-CVE-2013-0247.patch
*** Bug 889353 has been marked as a duplicate of this bug. ***
Acknowledgements: This issue was discovered by Dan Prince of Red Hat.
This issue has been addressed in following products: OpenStack Folsom for RHEL 6 Via RHSA-2013:0253 https://rhn.redhat.com/errata/RHSA-2013-0253.html
openstack-keystone-2012.2.3-2.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
openstack-keystone-2012.2.3-4.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.