Open Stack

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

OpenStack Security Advisory: 2013-022
CVE: CVE-2013-4155
Date: August 7, 2013
Title: Swift Denial of Service using superfluous object tombstones
Reporter: Peter Portante (Red Hat)
Products: Swift
Affects: All versions

Description:
Peter Portante from Red Hat reported a vulnerability in Swift. By
issuing requests with an old X-Timestamp value, an authenticated
attacker can fill an object server with superfluous object tombstones,
which may significantly slow down subsequent requests to that object
server, facilitating a Denial of Service attack against Swift clusters.

Havana (development branch) fix:
https://review.openstack.org/40643

Grizzly fix:
https://review.openstack.org/40645

Folsom fix:
https://review.openstack.org/40646

Note:
The havana fix will be included in the upcoming Swift 1.9.1 release.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4155
https://bugs.launchpad.net/swift/+bug/1196932

Regards,

- -- 
Thierry Carrez
OpenStack Vulnerability Management Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBCAAGBQJSAmwaAAoJEFB6+JAlsQQjgbEP/2hCZIRuMQoMPCcPg1LzA2PR
BIOGBII7jXTjc/ku5/E29kTL2GwtiHC6PLezXdlGQFcLdJV4wi8Tq4OtVwFDEhHz
8wIhFVzKyPP1N9kktWH80PXhYUVECffuhL3+GKGcIMkz8+BPUj5EKeEHAZpkVw+S
bu37N3IB5kpBN2riNBo+7BciKK81fXvJh5QH9T10pee6VrQMYk+fyAITPD91Ft1S
ramVEM+L9m0n4oDXSg9bTuKdACPxNqR1ftn3AIS2xJFNz0jeECuI6bV/6MPpCtds
0bVDjgZfidz3LDvY/1LsUKGSAkcVViWCxYqYgZYFnnnGKgopPcvOzGXM2zZ5EHMa
ypciysUSJ/HC4jQpmqNBmHbaHHaWIhO5krVC4Soh2Kj4gA5YgUFi2ybKkKo/RLpm
THHjgo8bfCVdnVZMt+BjkGGXvNenv3tsE8ByfEKWZ+AGf0CcZGih5ONtRRgLsiew
vC4p0haonrHkzWqNusdtXZcEXdEQRmMlCWS0PO+pzSypKgI8I5Pg34IHrNjgk4fa
inkSMLxYDTTtHWoeQoczL6MQ0UYrDZmmSlXO4U7FE69I0uMPYt5b0eLWG28YEF3T
pe+fbm4qkpMZN11DvduMtswSro1BZq9zJrJLGFG9HdOXN7vrXc0bWVuykh6q31tv
w1Tar2ybFkiV+huvn2zb
=YWXH
-----END PGP SIGNATURE-----