[Openstack-security] [OSSG] DRAFT: Security Note: Keystone Resource Exhaustion without HTTP POST limiting
Bryan D. Payne
bdpayne at acm.org
Wed Apr 17 23:48:18 UTC 2013
Looks good to me.
-bryan
On Wed, Apr 17, 2013 at 4:03 PM, Clark, Robert Graham
<robert.clark at hp.com> wrote:
> All, below is our draft security note for bug https://bugs.launchpad.net/keystone/+bug/1098177 please review before I release it on the general OpenStack ML.
>
> Thanks!
>
> -Rob
>
>
> Requests with large POST body can crash Pre-Grizzly Keystone or underlying services.
> -----
>
> ### Summary ###
> Concurrent Keystone POST requests with large body messages are held in memory without filtering or rate limiting, this can lead to resource exhaustion on the Keystone server.
>
> ### Affected Services / Software ###
> Keystone, Databases
>
> ### Discussion ###
> Keystone stores POST messages in memory before validation, concurrent submission of multiple large POST messages can cause the Keystone process to be killed due to memory exhaustion, resulting in a remote Denial of Service.
>
> In many cases Keystone will be deployed behind a load-balancer or proxy that can rate limit POST messages inbound to Keystone. Grizzly is protected against that through the sizelimit middleware.
>
> ### Recommended Actions ###
> If you are in a situation where Keystone is directly exposed to incoming POST messages and not protected by the sizelimit middleware there are a number of load-balancing/proxy options, we suggest you consider one of the following:
>
> Nginx: Open-source, high-performance HTTP server and reverse proxy.
> Nginx Config: http://wiki.nginx.org/HttpCoreModule#client_max_body_size
>
> Apache: HTTP Server Project
> Apache Config: http://httpd.apache.org/docs/2.4/mod/core.html#limitrequestbody
>
> ### Contacts / References ###
> Original LaunchPad Bug : https://bugs.launchpad.net/keystone/+bug/1098177
> OpenStack Security ML : openstack-security at lists.openstack.org
> OpenStack Security Group : https://launchpad.net/~openstack-ossg
>
> _______________________________________________
> Openstack-security mailing list
> Openstack-security at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
More information about the Openstack-security
mailing list