Open Stack

Hi,

Following the declaration regarding the memcache vulnerability below, I 
would like to raise a discussion regarding its protection. If we could 
limit/control the access to memcache it would be easier to confine the 
damage in case of an attack. For example, in the attached paper we added a 
gatekeeper to ensure that  the keys/values stored in the memcached of 
Swift are accessed only by the tenant/domain to which they belong (e.g., a 
user from domain A can not access the cached data of users belonging to 
domain B), 

I suggest to provide a generic mechanism allowing insertion of various 
memcache protections as dedicated middleware modules. Practically, 
although in Swift we have a module memcache.py which is part of 
middleware, the module memcached.py is located under "common". What is the 
motivation for this code organization? Can we move the module memcached.py 
to be under "middleware" in Swift? 

Thank you very much,
Alex.
 


----------------------------------------------------------
Alexandra Shulman-Peleg, PhD
Storage Research, Cloud Platforms Dept.
IBM Haifa Research Lab
Tel: +972-3-7689530 | Fax: +972-3-7689545


From:   Thierry Carrez <thierry at openstack.org>
To:     openstack-announce at lists.openstack.org, 
openstack at lists.openstack.org, 
Date:   11/09/2013 06:52 PM
Subject:        [Openstack] [OSSA 2013-025] Token revocation failure using 
Keystone memcache/KVS backends (CVE-2013-4294)



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

OpenStack Security Advisory: 2013-025
CVE: CVE-2013-4294
Date: September 11, 2013
Title: Token revocation failure using Keystone memcache/KVS backends
Reporter: Kieran Spear (University of Melbourne)
Products: Keystone
Affects: Folsom, Grizzly

Description:
Kieran Spear from the University of Melbourne reported a vulnerability
in Keystone memcache and KVS token backends. The PKI token revocation
lists stored the entire token instead of the token ID, triggering
comparison failures, ultimately resulting in revoked PKI tokens still
being considered valid. Only Folsom and Grizzly Keystone setups making
use of PKI tokens with the memcache or KVS token backends are affected.
Havana setups, setups using UUID tokens, or setups using PKI tokens with
the SQL token backend are all unaffected.

Grizzly fix:
https://review.openstack.org/#/c/46080/

Folsom fix:
https://review.openstack.org/#/c/46079/

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4294
https://bugs.launchpad.net/keystone/+bug/1202952

Regards,

- -- 
Thierry Carrez
OpenStack Vulnerability Management Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBCAAGBQJSMI+5AAoJEFB6+JAlsQQj2hAQAI/S5bAv+XrYUaXRBgJxvBz4
xVXdrXl/iA7R9iDIlmaFThOCvw4SCsWB7jBYRv8wAk3V3HZw9jEmC3OoebpCFWNb
1q3an25kroviy8rfZyQIqe9KTrwXRa/jDVlun2EEiw7KyUty/HIAjUCVUXVKBhyh
8Bctn90A/Nt2D5Am3hyofsS5fOjmzwW6b73RCY7CDntduxUtPn6lbUthFESXTCwv
lojClZ5X78XnCh2/WJuxKkAEm8EujlNqkIHziGgc3HrForxSc2GKSPzgFbg5eBbt
BaDTxFkDHW3EwSK/69b+699e9BvN/vuBxbNa7YW2ANiM1IJ34QHouPk4XULMZIeH
cZ4QOBX7MtUhvD1htfTlHQfvb1syqlvul49WVmmsk48CMVW6hArSMQvTVbArUqD0
fN2INqfghZMQCkQIlXE+38J88OOL/S+sq6p8dIn96JxP2tnw4rIs9YclSa9E1Ub0
SIDaWPu7NN+wuY1WN+EzHV0zHI8HYs2HkOlrRW3E02JEm3xcEEmYLCwf+c2mwOee
Grick3VlxNuQNBP6bls+NtxCzhUzLVI7nOfaxZyzQtOMLjJPKpip4QKMjzotO3nf
+6JNk5766T2f63fsNtw0kltbtm4R+RzKzv29vVsaOh+ba57w7xnpEkAA1oaYyFa+
IHvUVYkOhX3quLUgBkCR
=pm0d
-----END PGP SIGNATURE-----

_______________________________________________
Mailing list: 
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack at lists.openstack.org
Unsubscribe : 
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130915/d6203b31/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: multi-tenant-isolation.pdf
Type: application/octet-stream
Size: 194912 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130915/d6203b31/attachment-0001.obj>