Bug 1239010 (CVE-2015-5143) - CVE-2015-5143 Django: possible DoS by filling session store
Summary: CVE-2015-5143 Django: possible DoS by filling session store
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-5143
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1242350 1242714 1242715 1242716 1242717 1243189 1243190 1243191
Blocks: 1239014
TreeView+ depends on / blocked
 
Reported: 2015-07-03 09:05 UTC by Martin Prpič
Modified: 2023-05-12 09:56 UTC (History)
21 users (show)

Fixed In Version: Django 1.8.3, Django 1.7.9, Django 1.4.21
Doc Type: Bug Fix
Doc Text:
A flaw was found in the Django session backend, which could allow an unauthenticated attacker to create session records in the configured session store, causing a denial of service by filling up the session store.
Clone Of:
Environment:
Last Closed: 2015-08-25 07:25:49 UTC
Embargoed:

Attachments (Terms of Use)
session-1.4.x.diff (7.55 KB, text/plain)
2015-07-07 07:56 UTC, Martin Prpič 		no flags Details
session-1.7.x.diff (8.75 KB, text/plain)
2015-07-07 07:56 UTC, Martin Prpič 		no flags Details
session-1.8.x.diff (10.22 KB, text/plain)
2015-07-07 07:56 UTC, Martin Prpič 		no flags Details
session-master.diff (10.22 KB, text/plain)
2015-07-07 07:56 UTC, Martin Prpič 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1678 0 normal SHIPPED_LIVE Moderate: python-django security update 2015-08-25 00:16:41 UTC
Red Hat Product Errata RHSA-2015:1686 0 normal SHIPPED_LIVE Moderate: python-django security update 2015-08-25 09:43:34 UTC

Description Martin Prpič 2015-07-03 09:05:10 UTC 
The following flaw was found in Django:

In previous versions of Django, the session backends created a new empty record in the session storage anytime ``request.session`` was accessed and there was a session key provided in the request cookies that didn't already have a session record. This could allow an attacker to easily create many new session records simply by sending repeated requests with unknown session keys, potentially filling up the session store or causing other users' session records to be evicted.

The built-in session backends now create a session record only if the session is actually modified; empty session records are not created. Thus this potential DoS is now only possible if the site chooses to expose a session-modifying view to anonymous users.

As each built-in session backend was fixed separately (rather than a fix in the core sessions framework), maintainers of third-party session backends should check whether the same vulnerability is present in their backend and correct it if so.

Acknowledgements:

Red Hat would like to thank the upstream Django project for reporting this issue.
Comment 1 Martin Prpič 2015-07-07 07:56:18 UTC 
Created attachment 1049122 [details]
session-1.4.x.diff
Comment 2 Martin Prpič 2015-07-07 07:56:21 UTC 
Created attachment 1049123 [details]
session-1.7.x.diff
Comment 3 Martin Prpič 2015-07-07 07:56:24 UTC 
Created attachment 1049124 [details]
session-1.8.x.diff
Comment 4 Martin Prpič 2015-07-07 07:56:27 UTC 
Created attachment 1049125 [details]
session-master.diff
Comment 5 Kurt Seifried 2015-07-09 04:38:12 UTC 
This is now public: https://www.djangoproject.com/weblog/2015/jul/08/security-releases/
Comment 7 Garth Mollett 2015-07-14 03:09:32 UTC 
Created Django14 tracking bugs for this issue:

Affects: epel-6 [bug 1242717]
Comment 8 Garth Mollett 2015-07-14 03:09:36 UTC 
Created python-django tracking bugs for this issue:

Affects: openstack-rdo [bug 1242714]
Affects: fedora-all [bug 1242715]
Affects: epel-7 [bug 1242716]
Comment 10 Fedora Update System 2015-07-23 08:54:34 UTC 
python-django-1.8.3-1.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2015-08-05 05:31:30 UTC 
python-django-1.6.11-2.el7 has been pushed to the Fedora EPEL 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 errata-xmlrpc 2015-08-24 20:16:55 UTC 
This issue has been addressed in the following products:

  OpenStack 6 for RHEL 7

Via RHSA-2015:1678 https://rhn.redhat.com/errata/RHSA-2015-1678.html
Comment 13 errata-xmlrpc 2015-08-25 05:43:44 UTC 
This issue has been addressed in the following products:

  OpenStack 5 for RHEL 6
  OpenStack 5 for RHEL 7

Via RHSA-2015:1686 https://rhn.redhat.com/errata/RHSA-2015-1686.html
Note You need to log in before you can comment on or make changes to this bug.