[openstack-announce] [OSSA 2013-003] Keystone denial of service through invalid token requests (CVE-2013-0247)

Thierry Carrez thierry at openstack.org
Tue Feb 5 16:21:40 UTC 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

OpenStack Security Advisory: 2013-003
CVE: CVE-2013-0247
Date: February 5, 2013
Title: Keystone denial of service through invalid token requests
Reporter: Dan Prince (Red Hat)
Products: Keystone
Affects: All versions

Description:
Dan Prince of Red Hat reported a vulnerability in token creation error
handling in Keystone. By requesting lots of invalid tokens, an
unauthenticated user may fill up logs on Keystone API servers disks,
potentially resulting in a denial of service attack against Keystone.

Grizzly (development branch) fix:
https://github.com/openstack/keystone/commit/8ec247bf61be0e487332d5d891246d2b7b606989

Folsom fix:
https://github.com/openstack/keystone/commit/bb2226f944aaa38beb7fc08ce0a78796e51e2680

Essex fix:
https://review.openstack.org/#/c/21216/

References:
https://bugs.launchpad.net/keystone/+bug/1098307
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0247

- -- 
Thierry Carrez (ttx)
OpenStack Vulnerability Management Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBCAAGBQJRETGUAAoJEFB6+JAlsQQjbC0QAIzjY1gNe/Lr2X+xDOvz+q2v
7O6Tn2ZV3X1/fgdVbicl4CVnNzkb3mbG1/pIEl7FbpSFfY6a3a8leJZD7u9bKB6z
M4xNGXITGJoT7HBo8ABvDH4X6p5oA/LDkuCZVotY4SHa5xIYRcQk884DbnIYoGe7
zXEek352gHgX7m0DmABm8Pz8E+IpyFIp8rdPEv4w9EeVDJmjhZvcgsMhKZmNahph
DyBMDvdGY7nXeurzI43tMdWHkqYCljq1qagLqzNxjXJj796FNixUdwnBfmvkRuDI
XvNOGQEnwWMdwRhHgQm9C6o9Y8OYnA2XXLxjKhYuNOYT09c2ZPqhITuT1Aka8eg4
Xnqt6OnGLhA8qq0zYfRPGAZFXghQ20NqSDU4CaZntYS9bFUZjQegnKA9qmo2bdJp
TbtE/UoZgDAxAvm5n0myHuT2nw75RCM0FWvbKA6VpgK2qikx77rK6/Y5M68F1288
hj7qxMUrbsj0aNBPoWkgpUdIzH3oLsvVq4tRxhSUGj06UIOtXo9QVpxRjmOU46eM
HKKL0n2Gfmi+kXgJfUdlGeQjlYUnNIx4pljn0RHRwyc5nLGdLUTy6ufnRclYRKSY
roS2qlrR+gDkKeHP3JS1zcdFblg/VKrAK5IN+JIeKRbZ+l/g2ghFemoVYjdduR3E
IRB0CC4khRi7njgBdDl1
=CzsK
-----END PGP SIGNATURE-----



More information about the OpenStack-announce mailing list