Open Stack

On 17/04/2013 19:57, "Kurt Seifried" <kseifried at redhat.com> wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>On 04/17/2013 05:03 PM, Clark, Robert Graham wrote:
>> All, below is our draft security note for bug
>> https://bugs.launchpad.net/keystone/+bug/1098177 please review
>> before I release it on the general OpenStack ML.
>
>So normally you guys send the finished draft to distros@ and I assign
>it a CVE there. If you want I can start assigning the CVE here and
>now. That sound ok?
>
>> Thanks!
>> 
>> -Rob
>> 
>> 
>> Requests with large POST body can crash Pre-Grizzly Keystone or
>> underlying services. -----
>> 
>> ### Summary ### Concurrent Keystone POST requests with large body
>> messages are held in memory without filtering or rate limiting,
>> this can lead to resource exhaustion on the Keystone server.
>> 
>> ### Affected Services / Software ### Keystone, Databases
>> 
>> ### Discussion ### Keystone stores POST messages in memory before
>> validation, concurrent submission of multiple large POST messages
>> can cause the Keystone process to be killed due to memory
>> exhaustion, resulting in a remote Denial of Service.
>> 
>> In many cases Keystone will be deployed behind a load-balancer or
>> proxy that can rate limit POST messages inbound to Keystone.
>> Grizzly is protected against that through the sizelimit
>> middleware.
>> 
>> ### Recommended Actions ### If you are in a situation where
>> Keystone is directly exposed to incoming POST messages and not
>> protected by the sizelimit middleware there are a number of
>> load-balancing/proxy options, we suggest you consider one of the
>> following:
>> 
>> Nginx: Open-source, high-performance HTTP server and reverse
>> proxy. Nginx Config:
>> http://wiki.nginx.org/HttpCoreModule#client_max_body_size
>> 
>> Apache: HTTP Server Project Apache Config:
>> http://httpd.apache.org/docs/2.4/mod/core.html#limitrequestbody
>> 
>> ### Contacts / References ### Original LaunchPad Bug :
>> https://bugs.launchpad.net/keystone/+bug/1098177 OpenStack Security
>> ML : openstack-security at lists.openstack.org OpenStack Security
>> Group : https://launchpad.net/~openstack-ossg
>> 
>> _______________________________________________ Openstack-security
>> mailing list Openstack-security at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>>
>> 
>- -- 
>Kurt Seifried Red Hat Security Response Team (SRT)
>PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.4.13 (GNU/Linux)
>
>iQIcBAEBAgAGBQJRb2EQAAoJEBYNRVNeJnmT2HIQAI26fzoXDw96zqU9ANyYRrLv
>LMRL90QHqw1cHeFSLbA8qYymwNXV/FL1Q1D+7+JIYqXaQNZp4e0QbL1pohi/D8Xh
>qCRrfFHdVWNjdctZohSkFoHfYLsuvws6sPQ2F/36Lc/zIqvU+OQitQnJYiF7KTDp
>Bd9fCgZWVpJ6cYy0iTiNcn3grUWYAlXfjCcf0hQfzpPEnrHeWpvv88nOGdNY+uGx
>FnteGjuB5tzrUaFd32ZOf9qK0qrM2/0vkccOY3tYUtUCHBXlcEbo5xb4PquaQJ1z
>fOYzlPAi9AkDxff9psNXWxYHbzehN1FisS4crEAedBiVC2D0VLVN8ppD+4iDjj/N
>fwYsZ9S1uVZ043BY2hg9VGPqP7jjKdZg7AOAMWJL+rwyTo6GuQys8qD2ooY3UDvh
>trCO/4i8Wl2UY3HFWV8OtG/FPUdv0DKGHoF1PRaExbJKyB1cnqsHuaVcezrppIZL
>kndnXdctfbJFNR7JdMbxI5T8TPzY3tXAna4yq6et3LFFniWC6DIPyiMeA+NIvqJg
>+dzWQcRqX0hOIhyRMu5V6KWfdrcA7hKziP+H4Vx0QouBR+lOqmlsnVKDqNrZxHn0
>pt8zk2oVhBy2inzHzciOzdRuB9XwIaaEDWpdHdiypjT4JnmNeBRnLFi1fVvrgtz0
>iraQeg3pIOwNmCaNb7U+
>=ycXK
>-----END PGP SIGNATURE-----

Hi Kurt,

This isn't being considered as an 'OpenStack Vulnerability' as suchŠ

OpenStack Security Notes exist to guide users and implementers of
OpenStack through various security 'pain-points'. Security Notes do not
directly address vulnerabilities in OpenStack. OSNs provide guidance to
ensure secure use of OpenStack and will often provide work arounds or
advice for 3rd party libraries and services used in conjunction with
OpenStack.

These notes are a product of the OSSG. You should probably reach out to
the VMT if you believe that a CVE is required. I've sent this around for
comments on -security this evening and I'll publish it (with any changes)
tomorrow morning (west-coast).

-Rob


>