[Openstack-security] [OSSG] DRAFT: Security Note: Keystone Resource Exhaustion without HTTP POST limiting
Thierry Carrez
thierry at openstack.org
Mon Apr 22 12:53:31 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Bryan D. Payne wrote:
> FWIW, I believe that one of the decision points here was that this
> resource exhaustion attack is linear, rather than exponential. So
> it's not as bad as a traditional DoS attack. I could see this one
> going either way. Happy to close the loop with VMT before
> publishing the note. However, it may also be worth noting that
> this entire bug / OSN has been handled publicly.
Replied to Kurt privately.
On this one we made a trade-off: rather than pushing a disruptive new
feature to a stable branch, we documented the issue and how to deploy
to avoid it. This is why it appears in a OSN rather than an OSSA: the
fix is not in the code. That doesn't mean a CVE is not warranted.
Grizzly has the sizelimit middleware and is therefore not affected.
The text of the note looks good -- maybe the title could be changed to
something that doesn't make it look like a current vulnerability as
much, but more like a deployment advice for older versions -- that way
people will not mistake it for a weird OSSA. My try at it would be:
"HTTP POST limiting advised to avoid Essex/Folsom Keystone DoS"
Hope this helps,
- --
Thierry Carrez (ttx)
Release Manager, OpenStack
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iQIcBAEBCAAGBQJRdTLLAAoJEFB6+JAlsQQj9nYP+QGTO8QzBXFMdtyiKAkvcVE5
3bhNg9vQ1+mDr2o94sSCTfyULB+hTj0iVODxObcuDOUzSHtbRsrS/w0Ogo/gaj85
uFyNiorPRa1T7d2CCXHb/+A1QkHwOuhJ0uRs0M6D3qNB5pPFpse0b8FzJk5crm78
5ROcp/K/q9HHBu2T5XlezjZw8aPDWuhlliJbbUNrIRuHrtIx3jKOaNWPCX1+ZDoV
+cLzU9tRH7+jRck8L9vq695GV/0UHr6knce19UHqUZBI76eHlXvjQ5d0v9o5b9hU
KFn0iFCH3fUJT04qUMH0IVgPxgeg6Bkx1d+Q6on6gfhqDG95fuby1kswL0gKewFv
wm+faxv9ZoPaPMdDZw9rUQiVa+Zih3hpG1UHvhB1WIQUtR9o97gYMweU1Bsz3v4y
P//jVsBd01d+YwI1x6fSz3hAJ9fb6sRvQbvPfS7FAEAbG5sb0wuMf0jOl7SBA+ZA
MQ7uXqDSti+oHmGmUXPDoWotR/Ml9JVibLyjz5TWXF+DoWHJN3YVLfToM0Jsy0cx
5UsLd4CqI3ndNQdpOolJZYV35fOlWFoYXpayfcOe9T/FO6A7JfJkvpB/khupAJhS
05fYsUPsFjFbBUdsnDPVzzI8OQxOqgC77hhkDB1gPsZHKTEtBFWrhIPWGIu8dJTw
FyXssa7IfA1gElXIRioo
=J1lP
-----END PGP SIGNATURE-----
More information about the Openstack-security
mailing list