Open Stack

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/17/2013 05:03 PM, Clark, Robert Graham wrote:
> All, below is our draft security note for bug
> https://bugs.launchpad.net/keystone/+bug/1098177 please review
> before I release it on the general OpenStack ML.

So normally you guys send the finished draft to distros@ and I assign
it a CVE there. If you want I can start assigning the CVE here and
now. That sound ok?

> Thanks!
> 
> -Rob
> 
> 
> Requests with large POST body can crash Pre-Grizzly Keystone or
> underlying services. -----
> 
> ### Summary ### Concurrent Keystone POST requests with large body
> messages are held in memory without filtering or rate limiting,
> this can lead to resource exhaustion on the Keystone server.
> 
> ### Affected Services / Software ### Keystone, Databases
> 
> ### Discussion ### Keystone stores POST messages in memory before
> validation, concurrent submission of multiple large POST messages
> can cause the Keystone process to be killed due to memory
> exhaustion, resulting in a remote Denial of Service.
> 
> In many cases Keystone will be deployed behind a load-balancer or
> proxy that can rate limit POST messages inbound to Keystone.
> Grizzly is protected against that through the sizelimit
> middleware.
> 
> ### Recommended Actions ### If you are in a situation where
> Keystone is directly exposed to incoming POST messages and not
> protected by the sizelimit middleware there are a number of
> load-balancing/proxy options, we suggest you consider one of the
> following:
> 
> Nginx: Open-source, high-performance HTTP server and reverse
> proxy. Nginx Config:
> http://wiki.nginx.org/HttpCoreModule#client_max_body_size
> 
> Apache: HTTP Server Project Apache Config:
> http://httpd.apache.org/docs/2.4/mod/core.html#limitrequestbody
> 
> ### Contacts / References ### Original LaunchPad Bug :
> https://bugs.launchpad.net/keystone/+bug/1098177 OpenStack Security
> ML : openstack-security at lists.openstack.org OpenStack Security
> Group : https://launchpad.net/~openstack-ossg
> 
> _______________________________________________ Openstack-security
> mailing list Openstack-security at lists.openstack.org 
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>
> 
- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRb2EQAAoJEBYNRVNeJnmT2HIQAI26fzoXDw96zqU9ANyYRrLv
LMRL90QHqw1cHeFSLbA8qYymwNXV/FL1Q1D+7+JIYqXaQNZp4e0QbL1pohi/D8Xh
qCRrfFHdVWNjdctZohSkFoHfYLsuvws6sPQ2F/36Lc/zIqvU+OQitQnJYiF7KTDp
Bd9fCgZWVpJ6cYy0iTiNcn3grUWYAlXfjCcf0hQfzpPEnrHeWpvv88nOGdNY+uGx
FnteGjuB5tzrUaFd32ZOf9qK0qrM2/0vkccOY3tYUtUCHBXlcEbo5xb4PquaQJ1z
fOYzlPAi9AkDxff9psNXWxYHbzehN1FisS4crEAedBiVC2D0VLVN8ppD+4iDjj/N
fwYsZ9S1uVZ043BY2hg9VGPqP7jjKdZg7AOAMWJL+rwyTo6GuQys8qD2ooY3UDvh
trCO/4i8Wl2UY3HFWV8OtG/FPUdv0DKGHoF1PRaExbJKyB1cnqsHuaVcezrppIZL
kndnXdctfbJFNR7JdMbxI5T8TPzY3tXAna4yq6et3LFFniWC6DIPyiMeA+NIvqJg
+dzWQcRqX0hOIhyRMu5V6KWfdrcA7hKziP+H4Vx0QouBR+lOqmlsnVKDqNrZxHn0
pt8zk2oVhBy2inzHzciOzdRuB9XwIaaEDWpdHdiypjT4JnmNeBRnLFi1fVvrgtz0
iraQeg3pIOwNmCaNb7U+
=ycXK
-----END PGP SIGNATURE-----