[Openstack-security] [OSSG] DRAFT: Security Note: Keystone Resource Exhaustion without HTTP POST limiting

Bryan D. Payne bdpayne at acm.org
Thu Apr 18 06:18:20 UTC 2013 

FWIW, I believe that one of the decision points here was that this
resource exhaustion attack is linear, rather than exponential.  So
it's not as bad as a traditional DoS attack.  I could see this one
going either way.  Happy to close the loop with VMT before publishing
the note.  However, it may also be worth noting that this entire bug /
OSN has been handled publicly.

Cheers,
-bryan


On Wed, Apr 17, 2013 at 10:37 PM, Kurt Seifried <kseifried at redhat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 04/17/2013 09:38 PM, Clark, Robert Graham wrote:
>> I agree with you. I'm not currently responsible for how OpenStack
>> handles issues and wether they're considered as 'vulnerabilities'
>> though the OSSG will be assisting with that process in the near
>> future.
>>
>> There's discussion of the issue here:
>> https://bugs.launchpad.net/keystone/+bug/1098177 I believe the
>> request for us to cut a OSN in response to this was due to the fact
>> that it doesn't affect Grizzly and most people who would have an
>> vulnerable attack surface (web facing etc) would already be running
>> Keystone behind Nginx, WAFs, LB's etc.
>>
>> I can hold the draft while you create a CVE and we can reference
>> that in the released OSN, you should probably approach the VMT
>> about the CVE or comment on the bug perhaps?
>>
>> -Rob
>
> I've emailed the OpenStack VMT to confirm handling this.
>
> - --
> Kurt Seifried Red Hat Security Response Team (SRT)
> PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.13 (GNU/Linux)
>
> iQIcBAEBAgAGBQJRb4azAAoJEBYNRVNeJnmT33MP/RpAY6Z5Iaz9Li9BWLJAtUqS
> qyh4bTRGz9tdAu4wu6ZmfRuOZ8256r5b9el3lf4a6o42WoDGSVCxc2+5yG8mC8YV
> nwEqw8Ol6IUNV3lWi1jVX7Gho5zDZnI3Dvc1O24UNJ4Afptloitp1apUi4VK4HQo
> pCS6iMuKZwaojfmzuySkAeT39vhf5bWoDPxv91Oa4tl1UHRVDp83dya4lBizNOwv
> jMszUloBf+AAOmGhW2wFaX5bezgaxlQN8W+gAE1QueFoK5G8eyiCayCeP6bzhqZG
> 3soJQRysoa2HSmZvJ37MLbUNV/S3DyfhBFrB99yc8/m/rkLaynF9mddqL7dWrBZ1
> 5rBPQLFX+9yFYnDhS8ppguRTv/jW6DZUkCX47BU/YCr8iKOnbnPDeQ72XnHDubXv
> PcXAmI36IprawQoM/almAKf4R2JGecnrgg4DaQawWbDc/Kn61dKe6U67rGBW+UOj
> UEBJEYTgQmIdFAXgdj8e52bIFZRlIkJf3FVHEOXIIQDVmk7/zAsIVG/tC+leMBCk
> EAo/qkebWh/oIfxwl7zopWTsoYT5B9DnoxdQR2NGaUJP10wvSr6Ja3RoWI0XoINF
> 9KBC7srAWwgLodBSyDzyAkjkbNovB3dHUI91c2qCxXquN9Ff4QzZnvPChregkgM/
> ZPEqza2Sb3e9IrRFss2z
> =JHVL
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Openstack-security mailing list
> Openstack-security at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security

More information about the Openstack-security mailing list